标签： ssl

大嘎好，半吊子运维又出现了。

一个网站，用得好好的，忽然说不安全了。登上去一看，果然不安全。

显示NET::ERR_CERT_DATE_INVALID

赶紧登录到服务器上看一看是怎么肥事

得知是nginx的搭的服务器

nginx -t 看一下

再看一下 /etc/nginx/nginx.conf， 啥也没有，再仔细瞄一下原来放在 include /etc/nginx/conf.d/*.conf;

server
{
listen 80;

            listen [::]:80;

            server_name sub.xxx.com;

            location / {
                    return 301 https://sub.xxx.com$request_uri;
            }
    access_log /data/logs/www.log main;
            error_log /data/logs/www_error.log error;

}

server
{
listen 443 ssl http2;
server_name sub.xxx.com;
index index.php index.html;
root /data/wwwroot/xxxxxx;

    location / {
        rewrite ^/$ /index.php last;
        if (!-e $request_filename) {
            rewrite "^/(.*)$" /index.php/$1 last;
        }
    }

    location ~ ^(.+\\.php)(.*)$ {

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;

        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires      30d;
        access_log off;
    }

    location ~ .*\.(js|css)?$
    {
        expires      12h;
        access_log off;
    }
    location /_log {
       autoindex on;
       autoindex_localtime on;
    }
    access_log /data/logs/www.log main;
            error_log /data/logs/www_error.log error;
            ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/sub.xxx.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sub.xxx.com/privkey.pem; # managed by Certbot

}

看来用的是Let’s Encrypt免费SSL证书，这个证书有个麻烦一点的地方就是90天过期，看来自从上次更新之后已经有90天了，所以过期了。

找到原因就好办了，将证书续期一下完事。

发现原来运维使用了 certbot ，那就更简单了。

# certbot certificates 看一下，果然有相应的证书

那就用certbot 更新一下证书 renew ，成功完成。

如果显示不成功，需要先暂停 nginx (systemctl stop nginx.service)

# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/sub.xxx.com.conf

---

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sub.xxx.com
Waiting for verification…
Cleaning up challenges

---

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/sub.xxx.com/fullchain.pem

---

---

Processing /etc/letsencrypt/renewal/xxx.com.conf

---

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxx.com
Waiting for verification…
Cleaning up challenges

---

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/xxx.com/fullchain.pem

---

---

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/sub.xxx.com/fullchain.pem (success)
/etc/letsencrypt/live/xxx.com/fullchain.pem (success)

---

参考文章： https://www.liaosam.com/use-cron-service-and-certbot-for-renewal-of-letsencrypt-ssl-certificates.html