择使用Let's Encrypt证书 1、安装Certbot客户端
1、获取 Certbot 客户端,我的安装目录在/home/downloads
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help
2、配置 nginx 、验证域名所有权,在/usr/local/nginx/conf/nginx.conf配置:
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /home/www/;
}
location = /.well-known/acme-challenge/ {
return 404;
}
3、重载 nginx
/usr/local/nginx/sbin/nginx -s reload
4、生成证书
./certbot-auto certonly --webroot -w /home/www -d www.liubo055.top
显示结果:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.liubo055.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.liubo055.top/privkey.pem
Your cert will expire on 2018-07-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
5、配置 Nginx(修改 /usr/local/nginx/conf/nginx.conf),使用 SSL 证书
server {
listen 443 ssl;
server_name liubo055.top www.liubo055.top;
ssl_certificate /etc/letsencrypt/live/www.liubo055.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.liubo055.top/privkey.pem;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
6、重载 nginx
/usr/local/nginx/sbin/nginx -s reload
复制代码
完成:访问https://www.liubo055.top成功
更新证书(没实操过,待续)
1、进入/home/downloads,测试一下更新,这一步没有在真的更新,只是在调用 Certbot 进行测试
./certbot-auto renew --dry-run
显示结果包括代表成功
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/linuxstory.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
2、手动更新的方法
./certbot-auto renew -v
3、自动更新的方法
./certbot-auto renew --quiet --no-self-upgrade
复制代码
参考:
HTTPS 简介及使用官方工具 Certbot 配置 Let’s Encrypt SSL 安全证书详细教程、
CentOS7安装Let’s Encrypt客户端Certbot获取Https证书
在 Nginx 上使用 Let’s Encrypt 加密(HTTPS)你的网站[简明教程]
certbot在Centos7上配置合法签名证书,实现nginx的https访问