免费ssl证书:Let's Encrypt

两种方式

  • 官方:letsencrypt-auto
  • certbot-auto
certbot
1、服务器centOS6.5,需要安装epel。
yum install epel-release
2、安装certbot
进入要安装的目录后:(如系统根目录cd /root/)
wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto
安装等待:
Creating virtual environment... 
Installing Python packages...
Installing Succeeded!
如果在这个地方卡住了,则修改pip:
mkdir ~/.pip
cat > ~/.pip/pip.conf <
或者vi  ~/.pip/pip.conf
[global]
index-url = http://mirrors.aliyun.com/pypi/simple/

[install]
trusted-host=mirrors.aliyun.com

参考: https://www.vpser.net/build/letsencrypt-certbot.html/comment-page-1#comments和 https://github.com/certbot/certbot/issues/2516

3、生成证书
格式:./certbot-auto certonly --webroot --agree-tos -v -t --email 邮箱地址 -w 网站根目录 -d 网站域名
./certbot-auto certonly --email [email protected] --agree-tos --webroot -w /usr/local/java/nginx/html -d www.xx.net
上面采用webroot模式,要求ngxin启动,webserver处于running状态,否则会报错,连接不到域名,这时可以用standalone模式
certbot-auto certonly //弹出选择框
->选择standalone
->填写邮箱(第一次才出现)
->填写域名
->ok
成功状态:
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.网站域名.net/fullchain.pem. Your cert
   will expire on 2017-03-18. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
4、加强安全:生成dhparams(此步骤可以省略)
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
5、配置Nginx
修改nginx配置中ssl的两个地方
ssl_certificate /etc/letsencrypt/live/www.xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.xxx.com/privkey.pem;
如果第四部配置了dhparams则添加如下
ssl_dhparam /etc/ssl/certs/dhparams.pem;

重启nginx,大功告成。
letsencrypt-auto
1、关闭ngxin
2、安装letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
3、生成证书
方式有两种,我还未验证:
sudo ./letsencrypt-auto --agree-dev-preview --server \ https://acme-v01.api.letsencrypt.org/directory auth 
或者
./letsencrypt-auto certonly --webroot --webroot-path /usr/local/java/nginx/html -d 域名 --agree-tos --email 邮箱
后面的部分参考certbot。


参考:
certbot和 https://segmentfault.com/a/1190000005797119
letsencrypt和 https://mechanus.io/lets-encrypt-certificate-note/

你可能感兴趣的:(配置,服务器)