--with-http_v2_module--with-http_v3_module--with-http_ssl_moduleAlt-Svc 响应头/etc/nginx/nginx.conf/etc/nginx/conf.d/vi.starbugs.net.conf/var/www/vi.starbugs.net/etc/letsencrypt/live/vi.starbugs.net//etc/letsencrypt/renewal/vi.starbugs.net.conf/etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh/etc/nginx/conf.d/default.conf.disabledserver {
listen 80;
server_name vi.starbugs.net;
location /.well-known/acme-challenge/ {
root /var/www/vi.starbugs.net;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen 443 quic reuseport;
http2 on;
http3 on;
server_name vi.starbugs.net;
root /var/www/vi.starbugs.net;
index index.html;
ssl_certificate /etc/letsencrypt/live/vi.starbugs.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vi.starbugs.net/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Alt-Svc 'h3=":443"; ma=86400' always;
add_header QUIC-Status $http3 always;
location / {
try_files $uri $uri/ =404;
}
}
certbot 安装后已创建 systemd 定时器,系统会定期执行证书续期检查。
查看定时器状态:
systemctl status certbot.timer --no-pager
systemctl list-timers certbot.timer --no-pager
证书续期配置文件:
/etc/letsencrypt/renewal/vi.starbugs.net.conf
当前使用 webroot 方式续期,验证目录为:
/var/www/vi.starbugs.net/.well-known/acme-challenge/
Nginx 80 端口配置保留了 ACME 验证路径:
location /.well-known/acme-challenge/ {
root /var/www/vi.starbugs.net;
}
续期成功后自动重载 nginx 的 hook:
/etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
hook 内容:
#!/bin/sh
systemctl reload nginx
权限:
chmod 755 /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
手动测试续期流程:
certbot renew --dry-run
手动强制执行续期检查:
certbot renew
手动续期指定域名证书:
certbot certonly --webroot -w /var/www/vi.starbugs.net -d vi.starbugs.net
续期成功后的证书路径保持不变:
/etc/letsencrypt/live/vi.starbugs.net/fullchain.pem
/etc/letsencrypt/live/vi.starbugs.net/privkey.pem
如果续期失败,检查:
vi.starbugs.net 是否仍解析到当前服务器/.well-known/acme-challenge/ 是否未被重定向或拦截/var/log/letsencrypt/letsencrypt.log/var/log/nginx/error.lognginx -v
nginx -V
nginx -t
systemctl status nginx --no-pager
systemctl status certbot.timer --no-pager
systemctl list-timers certbot.timer --no-pager
ss -ltnup
curl --noproxy '*' -I --http2 --resolve vi.starbugs.net:443:127.0.0.1 https://vi.starbugs.net
certbot renew --dry-run
nginx -t: successHTTP/2 200alt-svc: h3=":443"; ma=86400HTTP/3 使用 UDP 443,需要在云服务器安全组和系统防火墙放行:
官方 nginx mainline 源当前为 1.31.1,不是 1.30;该版本已包含 HTTP/2 和 HTTP/3 支持。