Let’s Encrypt免费的https证书
source link: http://blog.grayson.org.cn/blog/2016/08/11/letsencrypt
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Let’s Encrypt免费的https证书
Aug 11, 2016
申请Let's Encrypt 免费https证书脚本。他的证书有效期只有90天,但是可以用自动化脚本继约,所以还是不很错的选择。
1. letsencrypt.sh证书的生成
1.1 目录的生成
cd ~
git clone https://github.com/lukas2511/letsencrypt.sh
sudo mkdir -p /etc/letsencrypt.sh
sudo mkdir -p /var/www/letsencrypt.sh
sudo chown `whoami` -R /var/www/letsencrypt.sh
sudo chown `whoami` -R /etc/letsencrypt.sh
cp ~/letsencrypt.sh/docs/examples/config /etc/letsencrypt.sh/config
cp ~/letsencrypt.sh/docs/examples/domains.txt /etc/letsencrypt.sh/domains.txt
1.2 修改letsencrypt.sh配置
vi /etc/letsencrypt.sh/config
BASEDIR="/etc/letsencrypt.sh/"
WELLKNOWN="/var/www/letsencrypt.sh/"
vi /etc/letsencrypt.sh/domains.txt
91any.com www.91any.com
1.3 修改nginx的配置
server {
listen 80;
....
location /.well-known/acme-challenge {
allow all;
alias /var/www/letsencrypt.sh/;
}
...
}
在生成的证书的时候,需要确认域名的有效性如: http://foo.com/.well-known/acme-challenge/xxxxxxx_xxxxx
修改完了nginx的配置需要重启.
sudo /etc/init.d/nginx configtest
* Testing nginx configuration [OK ]
sudo /etc/init.d/nginx reload
* Reloading nginx configuration nginx [ OK ]
1.4 执行生成ssl证的脚本
~/letsencrypt.sh/letsencrypt.sh -c
## INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
Processing 91any.com with alternative names: www.91any.com
+ Signing domains...
+ Creating new directory /etc/letsencrypt.sh/certs/91any.com ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for 91any.com...
+ Requesting challenge for www.91any.com...
+ Responding to challenge for 91any.com...
+ Challenge is valid!
+ Responding to challenge for www.91any.com...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
说明生成功完必了。接下来让配置ssl证到nginx中
2. 配置ssl证到nginx
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
2.1 nginx的配置
sudo vi /etc/nginx/sites-enabled/qiangda_production
server {
listen 80;
listen 443 ssl;
## listen 443 ssl http2;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt.sh/certs/91any.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt.sh/certs/91any.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;## omit SSLv3 because of POODLE (CVE-2014-3566)
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
}
2.1 测试脚本并重启nginx
#可以测试具体哪一行出问题。
sudo nginx -c /etc/nginx/nginx.conf -t
sudo /etc/init.d/nginx restart
yeah!!! 打开成功了。
接下来配置每个月更新一次证书。
3. 添加自动更新的脚本。
mv ~/letsencrypt.sh /etc/letsencrypt.sh/
vi /etc/letsencrypt.sh/auto-renew.sh
/etc/letsencrypt.sh/letsencrypt.sh/letsencrypt.sh -c
sudo service nginx reload
- 把脚本改为可执行
chmod 777 /etc/letsencrypt.sh/auto-renew.sh
- 把默认的nano改成vim.如果你喜欢nano的话跳过这一步。
vim ~/.selected_editor
SELECTED_EDITOR="/usr/bin/vim.tiny"
- 添加日志目录
mkdir -p /etc/letsencrypt.sh/log
crontab -e
1 0 1 * * /etc/letsencrypt.sh/auto-renew.sh >> /etc/letsencrypt.sh/log/lets-encrypt.log 2>&1
重下cron的服务
sudo service cron restart
Posted by grayson Aug 11, 2016 letsencrypt nginx ssl
Recommend
-
23
-
12
配置 Nginx 正确处理 Webroot 验证 在证书签发过程中 Let's Encrypt 会验证你拥有当前域名,最基本的方式在你的网站根目录创建一个文件,并通过域名在外部进行请求,如能请求到则认为你拥有该网站的控制权。假设你有一个域名 example.com, 验证...
-
12
一 起因 官方的cerbot太烦了,不建议使用 还不如野蛮生长的acme.sh,而这里介绍docker运行cerbot获取Let's Encrypt永久免费SSL证书 二 选型 cerbot的证书不会自动刷...
-
12
使用Let's Encrypt创建SSL证书 TianFang 相濡以沫,不如相忘于江湖 随笔 - 824 文章 - 5 评论 - 923 阅读 - 396...
-
13
免费SSL证书Let's Encrypt的替代:SSL.com随着 HTTPS 在 Web 上的使用不断增加,我们需要颁发证书的证书颁发机构提供更多支持,Let's Encrypt提供的免费SSL证书,但如果我们想加密整个 Web,我们不能依...
-
9
V2EX › 程序员 练手撸了个 Let's encrypt 的 SSL 证书签发服务 neurocomputing ·...
-
14
Let’s Encrypt 根证书即将到期
-
4
在GoDaddy服务器内使用Let's Encrypt证书 在GoDaddy服务器内使用Let's Encrypt证书 最后更新:2019年12月2日 | 所有文档
-
6
之前要申请免费的 https 证书操作步骤相当麻烦,今天看到有人在讨论,就搜索了一下。发现现在申请步骤简单多了。 1. 下载 certbot git clone https://github.com/certbot/certbot cd certbot ./certbot-auto --help
-
7
本篇文章要讲的内容是申请Let’s Encrypt通配符证书,但是标题中加一个“手动挡”模式是什么意思呢?我们拿学车为例,当我们学会了开手动挡,开自动挡自然不在话下。同理,如果我们弄明白了手动申请Let’s Encrypt证书的步骤,以后使用自动化工具自然也是手到擒来。...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK