在Rocky8下使用certbot进行证书签发并自动续期，本教程使用DNS校验方式

一、安装

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# 1. 安装 EPEL repo
sudo dnf install epel-release -y
# 2. 安装 snapd
sudo dnf install snapd -y
# 3. 启动和启用 snapd 服务
sudo systemctl enable --now snapd.socket
# 4. 创建软链接，确保 certbot 命令在 $PATH 中
sudo ln -s /var/lib/snapd/snap /snap
# 5. 安装 core 快照 (snapd 基础环境)
sudo snap install core
# 6. 安装 Certbot 主程序
sudo snap install --classic certbot
# 7. 创建软链接
sudo ln -sf /snap/bin/certbot /usr/bin/certbot
# 8. 安装阿里云 DNS 插件
sudo snap install certbot-dns-aliyun

二、配置

2.1、配置nginx

首先确认你的nginx的配置

1
2
3
4
5
6
7
8
9
server {
    listen 443 ssl;
    server_name example.com www.example.com;
    root /usr/share/nginx/html;

    location ~ /.well-known/acme-challenge {
        allow all;
    }
}

2.2、配置阿里云

进入阿里云的RAM管理用户名：例如 certbot-user 登录方式：选择 Accesskey访问生成 AccessKey：勾选 “创建 AccessKey”，稍后用于 Certbot, 复制出创建用户的key及密钥，妥善保存分配权限点击用户 → 权限 → 添加权限选择策略： AliyunDNSFullAccess（阿里云提供的系统策略，允许管理 DNS）自定义策略（推荐限制更严格）点击 创建策略 → 选择 自定义权限 策略示例（仅允许管理指定域名的 DNS 记录）

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alidns:DescribeDomainRecords",
        "alidns:AddDomainRecord",
        "alidns:UpdateDomainRecord",
        "alidns:DeleteDomainRecord"
      ],
      "Resource": [
        "acs:alidns:*:*:domain/yourdomain.com"
      ]
    }
  ]
}

yourdomain.com` 替换成你的主域名保存策略后，把策略绑定给刚才创建的 RAM 用户在服务器上执行如下命令

1
2
3
4
5
6
7
sudo mkdir -p /root/.secrets/certbot
sudo vim /root/.secrets/certbot/alidns.ini
#写入如下信息
dns_aliyun_access_key = 你的用户key
dns_aliyun_access_key_secret = 你的密钥
#保存并退出
sudo chmod 600 /root/.secrets/certbot/alidns.ini

如果安装的软件无法运行

1
2
3
sudo pip3 install certbot-dns-aliyun
#或者
sudo pip3 install certbot-dns-aliyun -i https://mirrors.aliyun.com/pypi/simple/

2.3、申请证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
DOMAIN="your_domain.com"
EMAIL="your_email@example.com"
CREDENTIALS_PATH="/root/.secrets/certbot/alidns.ini"

sudo certbot certonly \
 -a dns-aliyun \ 
 --dns-aliyun-credentials $CREDENTIALS_PATH \
  -d $DOMAIN \ 
  -d *.$DOMAIN \ 
  --agree-tos \ 
  --non-interactive \ 
  --email $EMAIL \ 
  --preferred-challenges dns

如果正常，将会返回如下信息

1
2
3
4
5
6
7
8
9
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for testapi.hunghom.cn
Waiting 30 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/testapi.hunghom.cn/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/testapi.hunghom.cn/privkey.pem
This certificate expires on 2025-12-01.
These files will be updated when the certificate renews.

将SSL证书路径复制到对应的nginx配置中，reload之后查看是否正常，尽量申请根证书，节约证书资源。

三、自动更新

3.1、配置

sudo nano /etc/letsencrypt/renewal/your_domain.com.conf

文件配置如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
version = 1.22.0
archive_dir = /etc/letsencrypt/archive/test.hunghom.cn
cert = /etc/letsencrypt/live/test.hunghom.cn/cert.pem
privkey = /etc/letsencrypt/live/test.hunghom.cn/privkey.pem
chain = /etc/letsencrypt/live/test.hunghom.cn/chain.pem
fullchain = /etc/letsencrypt/live/test.hunghom.cn/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 86072b438d030629bf59ad0b03b09860
authenticator = dns-aliyun
dns_aliyun_credentials = /root/.secrets/certbot/alidns.ini
server = https://acme-v02.api.letsencrypt.org/directory
post_hook = systemctl reload nginx

3.2、测试

1
sudo certbot renew --dry-run

正常情况下输出如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.hunghom.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for test.hunghom.cn
Waiting 30 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/testapi.hunghom.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for testapi.hunghom.cn
Waiting 30 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/test.hunghom.cn/fullchain.pem (success)
  /etc/letsencrypt/live/testapi.hunghom.cn/fullchain.pem (success)

3.3、服务自动启动

1
2
systemctl enable certbot.timer
systemctl start certbot.timer