使用certbot自动签发SSL证书(Let's Encrypt证书)

2019独角兽企业重金招聘Python工程师标准>>>

我知道很多云上都有免费1年的SSL证书了，但是1年到了你还得手动去续期，域名多了那工作量就大了去了。我的环境是阿里云centos6,亲测centos7同样适用，一句命令即可！

Let's Encrypt 的最大贡献是它的 ACME 协议，第一份全自动服务器身份验证协议，以及配套的基础设施和客户端。

关于Let's Encrypt 上线的意义可以参考一下知乎

https://www.zhihu.com/question/36710815?sort=created

现在我们来使用certbot自动注册免费的SSL证书及基于ACME协议自动续期！

官网地址 https://certbot.eff.org/#centos6-nginx  可根据你的软件和系统版本

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

命令帮助

./certbot-auto --help all  

一句话搞定SSL！前提是先解析并且找得到server_name

./certbot-auto --nginx certonly --nginx-server-root /usr/local/nginx/conf --nginx-ctl /usr/local/nginx/sbin/nginx  -m "yunwei@1.com" -n --agree-tos  --domains www.jklot.com 

certbot默认的nginx配置是/etc/nginx/,像我们平常都是放在/usr/local/nginx/需要自定义一下

如果卡在安装python packages 上

cat ~/.pip/pip.conf

[global]
index-url=http://mirrors.aliyun.com/pypi/simple/

[install]
trusted-host=mirrors.aliyun.com

如果你没有加这些参数

-m "your@email.com" -n --agree-tos

那就需要手动应答了。。邮件你不要随便填啊，到时候快过期会给你一封邮件，还是很有用的

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): 

You must

agree in order to register with the ACME server 等等等。。。

最后，提示以下信息，则说明我们申请成功了。

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/www.jklot.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/www.jklot.com/privkey.pem

   Your cert will expire on 2018-04-04. To obtain a new or tweaked

Nginx配置

server {
     listen 80;
     server_name www.jklot.com;
     rewrite ^/(.*)$ https://www.jklot.com/$1 permanent;
}
server {
    listen 443;
    server_name www.jklot.com;
    index index.html index.htm index.php;
    root  /data/web/www.jklot.com/;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/www.jklot.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.jklot.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;

最后可以测试一下证书的安全性

 https://www.ssllabs.com/ssltest/index.html

管理证书

 ./certbot-auto certificates

注销证书

./certbot-auto revoke --cert-path /etc/letsencrypt/live/www.jklot.com/cert.pem 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Would you like to delete the cert(s) you just revoked?
-------------------------------------------------------------------------------
(Y)es (recommended)/(N)o: Y

-------------------------------------------------------------------------------
Deleted all files relating to certificate 1.jklot.com.
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/live/www.jklot.com/cert.pem

./certbot-auto delete --cert-name www.jklot.com

手动续期

./certbot-auto renew 

自动续期

添加到crontab里面

00 0,12 * * * root /usr/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && cd /root ; ./certbot-auto renew --renew-hook "/usr/local/nginx/sbin/nginx -s reload"

上面是certbot官网的定时，我也不清楚为啥要在弄个随机的小时内执行renew...

那这样岂不是可以无限申请了吗？实际上是有限制的。https://letsencrypt.org/docs/rate-limits/

如果你上面用不来，那使用在线申请Let's Encrypt 证书的网站吧  https://www.sslforfree.com

转载于:https://my.oschina.net/longquan/blog/808470