欧阳天涵的专栏

To be your personal Best!

Using LetsEncrypt & Certbot to create SSL certificates

RT

Certbot

到下面的网站,一下脚本,可以助力你快速申请证书

https://certbot.eff.org/

下面以centos 6 - nginx 为例:

打开https://certbot.eff.org/

选好系统版本,即下面的URL

https://certbot.eff.org/#centos6-nginx

1、下载

wget -O /sbin/certbot https://dl.eff.org/certbot-auto
chmod a+x /sbin/certbot
2、修改nginx主机配置文件(vhost则配置在vhos配置文件上)配置在第一个location匹配规则上

location ^~ /.well-known/acme-challenge/ {
  default_type “text/plain”;
  root /path/website/;
}

location = /.well-known/acme-challenge/ {
  return 404;
}

重新加载生效:server nginx reload

3、申请证书

 certbot certonly --email mail@example.com --agree-tos --no-eff-email --webroot -w /path/website -d www.example.com

  申请的证书一般都会在/etc/letsencrypt/live/example.com/ 下,会有下面5个文件 #注意example为你的网站名

  cert.pem chain.pem fullchain.pem privkey.pem README

4、为NGINX添加SSL

我的nginx 为源码安装/usr/local/nginx下

 创建sslkey保存目录

  [root@localhost sslkey]#mkdir -pv /usr/local/nginx/conf/sslkey

  [root@localhost sslkey]#cd /usr/local/nginx/conf/sslkey

  [root@localhost sslkey]#ln -s /etc/letsencrypt/live/example.com/* ./
  [root@localhost sslkey]# ls
  cert.pem chain.pem fullchain.pem privkey.pem README
  [root@localhost sslkey]# pwd
  /usr/local/nginx/conf/sslkey
  [root@localhost sslkey]#

5、修改nginx主机配置文件(vhost则配置在vhos配置文件上)添加ssl支持,例如下面的

  listen 80;
  listen 443 ssl;
  server_name www.example.com;

  root /path/website/;
  index index.php index.htm index.html;

  ssl on;
  ssl_certificate /usr/local/nginx/conf/sslkey/cert.pem;
  ssl_certificate_key /usr/local/nginx/conf/sslkey/privkey.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HICH:+MEDIUM:!LOW:!aNULL:!eNULL;

    ……

  重启生效

  访问HTTPS没毛病

6、由于只有90天就得更新证书,而且只有在7天内的过期的才能更新,所以得把证书更新添加到计划任务,时间根据需要设置

  #crontab -e 

  00 00 00 */3 * /sbin/certbot renew --renew-hook "service nginx reload" --quiet > /dev/null 2>&1 &

7、回收证书

  certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

  certbot delete --cert-name example.com

8、 cerbot扩展,可以扮发多路径多域名证书,多路径单域名暂时没有看到,你看得到话留言吧

  执行

#certbot -h all

Letsencrypt

https://www.jianshu.com/p/ee5c589950d1

阅读更多
版权声明:本文为博主原创文章,未经博主允许不得转载。PS: 转载请注明出处 http://blog.csdn.net/ouyangtianhan https://blog.csdn.net/ouyangtianhan/article/details/79961326
个人分类: DevOps
上一篇Redmine rails console usages
下一篇Mac下USB信息 & USB error 3: Unable to claim interface: Access denied (insufficient permissions)
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭