引用
Let's Encrypt作为一个公共且免费SSL的项目逐渐被广大用户传播和使用,是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起,主要的目的也是为了推进网站从HTTP向HTTPS过度的进程,目前已经有越来越多的商家加入和赞助支持。


对于个人网站或者要求一般的网站都适合用Let's Encrypt的免费证书,安装简单。

主要步骤:
1 安装环境
2 申请证书
3 配置nginx
4 定期更新证书

1 安装环境

yum -y install git python
cd /Data/apps/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto —-help


正常来说,运行最后一个没有出错就算没有问题啦

2 申请证书

首先你需要在你的网站根目录生成一个检查授权的目录,然后命令行直接申请证书
mkdir -p /Data/webapps/www.aslibra.com/.well-known/acme-challenge


配置nginx可以通过80端口访问到
server
{
    listen       80;
    server_name  www.aslibra.com aslibra.com test.aslibra.com;
    location /.well-known {
        root   /Data/webapps/www.aslibra.com/;
    }
    location / {
        rewrite ^/(.*)$ https://www.aslibra.com/$1 redirect;
    }
}


申请证书:
/Data/apps/letsencrypt/letsencrypt-auto certonly \
--webroot --email youremail@gmail.com \
-w /Data/webapps/www.aslibra.com \
-d www.aslibra.com \
-d aslibra.com \
-d test.aslibra.com

email是用来通知你证书过期的提醒
-d是同一个网站的各个域名,可以一起申请

申请成功会有提示:
引用
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.aslibra.com/fullchain.pem. Your cert
   will expire on 2017-09-16. To obtain a new or tweaked version of
   this certificate in the future, simply run letsencrypt-auto again.
   To non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


3 配置nginx

server
{
    listen 443;
    ssl on;

    ssl_certificate /etc/letsencrypt/live/www.aslibra.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.aslibra.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/www.aslibra.com/chain.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 60m;

    server_name  www.aslibra.com aslibra.com test.aslibra.com;

#...


4 定期更新证书

创建一个脚本:
/Data/scripts/letsencrypt-renew.sh

#!/bin/bash
/Data/apps/letsencrypt/letsencrypt-auto renew
/Data/apps/nginx/sbin/nginx -s reload


定时任务加上:
0 23 28 * * root /Data/scripts/letsencrypt-renew.sh >>/Data/logs/letsencrypt.log


每个月28号运行一次,因为证书有效期是2个月,所以一个月更新一次即可


原创内容如转载请注明:来自 阿权的书房
收藏本文到网摘
发表评论
AD
表情
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
打开HTML 打开UBB 打开表情 隐藏
昵称   密码   游客无需密码
网址   电邮   [注册]
               

验证码 不区分大小写
 

阅读推荐

服务器相关推荐

开发相关推荐

应用软件推荐