Let’s Encrypt! Google Trust Service签发的免费SSL证书,到期时间是3个月,但是可以无限自动续期。
第一次尝试
# certbot --nginx -d bpm.acme.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): john@acme.com – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must agree in order to register with the ACME server. Do you agree? – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – (Y)es/(N)o: Y – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – (Y)es/(N)o: Y
Account registered. Requesting a certificate for bpm.acme.com
Certbot failed to authenticate some domains (authenticator: nginx).
以请求并应答随机文件URL地址,完成域名所有权的验证
The Certificate Authority reported these problems:
Domain: bpm.acme.com
Type: unauthorized
Detail: 2606:4700:3035::ac43:87ac:
Invalid response from http://bpm.acme.com/.well-known/acme-challenge/OXiyYiuiVeO01-E2Rh1JlhjlzNru_ZLxgsO7yiKBHCE: 521
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet. Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
出现HTTP 521错误代码的原因是由于bpm.acme.com解析没有去到源站,而是解析到了CloudFlare节点,要登录Cloudflare后台,调整bpm的A记录设置,取消自动Proxy。
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# systemctl reload nginx
第二次尝试
# certbot --nginx -d bpm.acme.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for bpm.redskylighting.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/bpm.acme.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/bpm.acme.com/privkey.pem
This certificate expires on 2025-11-02. These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for bpm.acme.com to /etc/nginx/conf.d/bpm.conf
Congratulations! You have successfully enabled HTTPS on https://bpm.acme.com – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
这个工具好就好在 Nginx 配置文件里证书相关的一并设好了!
开个Windows命令行窗口验证:openssl s_client -connect bpm.acme.com:443 2>null | openssl x509 -noout -enddate
Linux命令:openssl s_client -connect bpm.acme.com:443 2>/dev/null | openssl x509 -noout -enddate
notAfter=Nov 2 02:39:26 2025 GMT
