引用
Let's Encrypt作为一个公共且免费SSL的项目逐渐被广大用户传播和使用,是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起,主要的目的也是为了推进网站从HTTP向HTTPS过度的进程,目前已经有越来越多的商家加入和赞助支持。
对于个人网站或者要求一般的网站都适合用Let's Encrypt的免费证书,安装简单。
主要步骤:
1 安装环境
2 申请证书
3 配置nginx
4 定期更新证书
1 安装环境
yum -y install git python
cd /Data/apps/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto —-help
cd /Data/apps/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto —-help
正常来说,运行最后一个没有出错就算没有问题啦
2 申请证书
首先你需要在你的网站根目录生成一个检查授权的目录,然后命令行直接申请证书
mkdir -p /Data/webapps/www.aslibra.com/.well-known/acme-challenge
配置nginx可以通过80端口访问到
server
{
listen 80;
server_name www.aslibra.com aslibra.com test.aslibra.com;
location /.well-known {
root /Data/webapps/www.aslibra.com/;
}
location / {
rewrite ^/(.*)$ https://www.aslibra.com/$1 redirect;
}
}
{
listen 80;
server_name www.aslibra.com aslibra.com test.aslibra.com;
location /.well-known {
root /Data/webapps/www.aslibra.com/;
}
location / {
rewrite ^/(.*)$ https://www.aslibra.com/$1 redirect;
}
}
申请证书:
/Data/apps/letsencrypt/letsencrypt-auto certonly \
--webroot --email youremail@gmail.com \
-w /Data/webapps/www.aslibra.com \
-d www.aslibra.com \
-d aslibra.com \
-d test.aslibra.com
--webroot --email youremail@gmail.com \
-w /Data/webapps/www.aslibra.com \
-d www.aslibra.com \
-d aslibra.com \
-d test.aslibra.com
email是用来通知你证书过期的提醒
-d是同一个网站的各个域名,可以一起申请
申请成功会有提示:
引用
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.aslibra.com/fullchain.pem. Your cert
will expire on 2017-09-16. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.aslibra.com/fullchain.pem. Your cert
will expire on 2017-09-16. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3 配置nginx
server
{
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.aslibra.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.aslibra.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.aslibra.com/chain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
server_name www.aslibra.com aslibra.com test.aslibra.com;
#...
{
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.aslibra.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.aslibra.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.aslibra.com/chain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
server_name www.aslibra.com aslibra.com test.aslibra.com;
#...
4 定期更新证书
创建一个脚本:
/Data/scripts/letsencrypt-renew.sh
#!/bin/bash
/Data/apps/letsencrypt/letsencrypt-auto renew
/Data/apps/nginx/sbin/nginx -s reload
/Data/apps/letsencrypt/letsencrypt-auto renew
/Data/apps/nginx/sbin/nginx -s reload
定时任务加上:
0 23 28 * * root /Data/scripts/letsencrypt-renew.sh >>/Data/logs/letsencrypt.log
每个月28号运行一次,因为证书有效期是2个月,所以一个月更新一次即可
原创内容如转载请注明:来自 阿权的书房
收藏本文到网摘