SSL 证书自动续期

Step 1：安装 Certbot

apt install certbot python3-certbot-nginx

Step 2：申请证书

certbot --nginx -d example.com -d www.example.com

Step 3：自动续期

Certbot 安装时已自动创建 cron/systemd timer，验证：

systemctl list-timers | grep certbot
certbot renew --dry-run

Step 4：Nginx 安全配置

server {
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # 安全配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    # HSTS
    add_header Strict-Transport-Security "max-age=63072000" always;
}

Step 5：监控

# 检查证书到期日
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates

设置 Agent 定时检查，到期前 30 天自动续期并通知。

SSL 证书自动续期

Step 1：安装 Certbot

apt install certbot python3-certbot-nginx

Step 2：申请证书

certbot --nginx -d example.com -d www.example.com

Step 3：自动续期

Certbot 安装时已自动创建 cron/systemd timer，验证：

systemctl list-timers | grep certbot
certbot renew --dry-run

Step 4：Nginx 安全配置

server {
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # 安全配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    # HSTS
    add_header Strict-Transport-Security "max-age=63072000" always;
}

Step 5：监控

# 检查证书到期日
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates

设置 Agent 定时检查，到期前 30 天自动续期并通知。