#!/bin/bash set -e echo "=========================================" echo "方案B: 单独域名SSL证书申请 (HTTP验证)" echo "=========================================" echo "说明: 使用Let's Encrypt HTTP验证方式" echo "优点: 无需API密钥,配置简单" echo "缺点: 需要为每个域名单独申请证书" echo "" NGINX_CONTAINER="novalon-nginx" EMAIL="ops@novalon.cn" SSL_BASE_DIR="/home/novalon/docker-app/novalon-nginx/ssl" DOMAINS=( "git.f.novalon.cn" "ci.f.novalon.cn" "registry.f.novalon.cn" ) echo "前置条件检查:" echo "1. 确保Nginx容器正在运行" if ! docker ps | grep -q ${NGINX_CONTAINER}; then echo "错误: Nginx容器未运行" exit 1 fi echo "2. 确保DNS解析已配置" for domain in "${DOMAINS[@]}"; do echo "检查 ${domain}..." if ! nslookup ${domain} | grep -q "139.155.109.62"; then echo "警告: ${domain} DNS解析未生效" fi done echo "" echo "步骤1: 创建certbot验证目录..." mkdir -p /var/www/certbot docker exec ${NGINX_CONTAINER} mkdir -p /var/www/certbot echo "" echo "步骤2: 确保Nginx配置包含ACME验证路径..." echo "检查Nginx配置..." echo "" echo "步骤3: 为每个域名申请证书..." for domain in "${DOMAINS[@]}"; do echo "" echo "申请证书: ${domain}" certbot certonly \ --webroot \ --webroot-path /var/www/certbot \ --email ${EMAIL} \ --agree-tos \ --no-eff-email \ -d ${domain} echo "复制证书到nginx SSL目录..." mkdir -p ${SSL_BASE_DIR}/${domain} cp /etc/letsencrypt/live/${domain}/fullchain.pem ${SSL_BASE_DIR}/${domain}/ cp /etc/letsencrypt/live/${domain}/privkey.pem ${SSL_BASE_DIR}/${domain}/ chmod 644 ${SSL_BASE_DIR}/${domain}/fullchain.pem chmod 600 ${SSL_BASE_DIR}/${domain}/privkey.pem echo "✓ ${domain} 证书申请成功" done echo "" echo "步骤4: 设置自动续期..." (crontab -l 2>/dev/null | grep -v "certbot renew"; echo "0 3 * * * certbot renew --quiet --post-hook 'docker restart novalon-nginx' >> /var/log/certbot-renew.log 2>&1") | crontab - echo "" echo "=========================================" echo "证书申请完成!" echo "=========================================" echo "" echo "证书路径:" for domain in "${DOMAINS[@]}"; do echo " ${domain}:" echo " - ${SSL_BASE_DIR}/${domain}/fullchain.pem" echo " - ${SSL_BASE_DIR}/${domain}/privkey.pem" done echo "" echo "容器内路径: /etc/nginx/ssl/{domain}/" echo "有效期: 90天" echo "自动续期: 每天凌晨3点检查" echo "" echo "下一步: 更新Nginx配置并重启容器" echo "========================================="