Using LetsEncrypt & Certbot to create SSL certificates
RT
Certbot
到下面的網站,一下指令碼,可以助力你快速申請證書
下面以centos 6 - nginx 為例:
選好系統版本,即下面的URL
https://certbot.eff.org/#centos6-nginx
1、下載
wget -O /sbin/certbot https://dl.eff.org/certbot-auto
chmod a+x /sbin/certbot
2、修改nginx主機配置檔案(vhost則配置在vhos配置檔案上)配置在第一個location匹配規則上
location ^~ /.well-known/acme-challenge/ {
default_type “text/plain”;
root /path/website/;
}
location = /.well-known/acme-challenge/ {
return 404;
}
重新載入生效:server nginx reload
3、申請證書
certbot certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /path/website -d www.example.com
申請的證書一般都會在/etc/letsencrypt/live/example.com/ 下,會有下面5個檔案 #注意example為你的網站名
cert.pem chain.pem fullchain.pem privkey.pem README
4、為NGINX新增SSL
我的nginx 為原始碼安裝/usr/local/nginx下
建立sslkey儲存目錄
[[email protected] sslkey]#mkdir -pv /usr/local/nginx/conf/sslkey
[[email protected] sslkey]#cd /usr/local/nginx/conf/sslkey
[[email protected] sslkey]#ln -s /etc/letsencrypt/live/example.com/* ./
[[email protected] sslkey]# ls
cert.pem chain.pem fullchain.pem privkey.pem README
[[email protected] sslkey]# pwd
/usr/local/nginx/conf/sslkey
[[email protected] sslkey]#
5、修改nginx主機配置檔案(vhost則配置在vhos配置檔案上)新增ssl支援,例如下面的
listen 80;
listen 443 ssl;
server_name www.example.com;
root /path/website/;
index index.php index.htm index.html;
ssl on;
ssl_certificate /usr/local/nginx/conf/sslkey/cert.pem;
ssl_certificate_key /usr/local/nginx/conf/sslkey/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HICH:+MEDIUM:!LOW:!aNULL:!eNULL;
……
重啟生效
訪問HTTPS沒毛病
6、由於只有90天就得更新證書,而且只有在7天內的過期的才能更新,所以得把證書更新新增到計劃任務,時間根據需要設定
#crontab -e
00 00 00 */3 * /sbin/certbot renew --renew-hook "service nginx reload" --quiet > /dev/null 2>&1 &7、回收證書
certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem
certbot delete --cert-name example.com8、 cerbot擴充套件,可以扮發多路徑多域名證書,多路徑單域名暫時沒有看到,你看得到話留言吧
執行
#certbot -h all