首选说明一下下面的步骤,是已经在ubuntu系统安装好nginx
第一步:安装certbot
(配置certbot获取源)
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
安装certbot
sudo apt-get install certbot python-certbot-nginx
第二步:生成证书
[root@localhost home]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): frank@pazzn.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
(A)gree/©ancel: A
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Which names would you like to activate HTTPS for?
1: www.pazz.com
2: pazzn.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pazzn.com
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/default.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/default.conf
Congratulations! You have successfully enabled https://pazzn.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=pazzn.com
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/pazzn.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/pazzn.com/privkey.pem
Your cert will expire on 2019-09-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew” -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
第二步步骤整理:输入“certbot --nginx” →输入自己申请的邮箱→选择A→选择Y→选择要生成的域名,如果是多个域名的话,用 ” , "进行分割→选择 2,这样就生成了SSL证书了
SSL证书具体位置: /ect/letsencrypt/live 下
第三步:配置SSL证书
输入“certbot --nginx certonly”,然后打开自己的配置文件
server {
listen 80;
server_name pazzn.com;
root /var/www/pazzn.com;
location / {
index index.php index.html index.htm;
}
location ~* \.php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/pazzn.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/pazzn.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server {
if ( $ host = pazzn.com) {
return 301 https://$ host$request_uri;
} # managed by Certbot
listen 80;
server_name pazzn.com;
return 404; # managed by Certbot
}
第四步:重启nginx服务器
先输入 “nginx-t”
检查自己刚刚修改的文件是否有错(这个步骤很重要的,往往很多人都因为自己修改的站点文件错误,导致nginx服务器一直重启不了)
然后在输入 “service nginx restart " 重启nginx服务器
第五步:访问 “https://pazzn.com” 看网页是否显示安全
出于安全策略, Let’s Encrypt 签发的证书有效期只有 90 天,所以需要每隔三个月就要更新一次安全证书,虽然有点麻烦,但是为了网络安全,这是值得的也是应该的。好在 Certbot 也提供了很方便的更新方法。
第六步:写一个脚本,让其自动更新
[root@localhost home]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
[root@localhost home]# crontab -l
0 0,12 * * * python -c ‘import random; import time; time.sleep(random.random() * 3600)’ && certbot renew
[root@localhost home]#
补充:如果后期要加多个域名的话,可以这样输入
sudo certbot certonly --webroot -w /var/www/op.jiu.ho -d shop.jiu.ho -d op.jiu.ho -w /var/www/op.jiu.ho -d shop.jiu.hu -d shop.jiu.ho