1.下载certbot项目
# git clone https://github.com/certbot/certbot.git
# cd certbot/
# chmod a+x ./certbot-auto
2.生成一个或多个单域名证书,事先要确保80、443端口可以通,并且没有被占用,最后域名有解析并且解析到当前服务器
# ./certbot-auto certonly --standalone -m [email protected] -d yzq.ngrok.yuzq.org -d que.ngrok.org
certonly 表示仅生成证书, 不自动安装
-d 参数为域名, 可以存在多个参数, 表示多个域名
-m 参数为管理者邮箱
【1】如果报错"...We were not be able to guess the right solution from your pip
output",这可能是因为系统镜像没同步完整pypi仓库(比如阿里云),切换成清华大学站或者使用官网仓库(将 /root/.pip/pip.conf改个名字),重新执行上面的命令
【2】如果报错"OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pip wheel failed with error code 1",执行pip install --upgrade virtualenv ,再执行上面命令
证书生成成功,会将证书地址显示出来(如 /etc/letsencrypt/live/yzq.ngrok.yuzq.org/fullchain.pem)
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yzq.ngrok.yuzq.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yzq.ngrok.yuzq.org/privkey.pem
Your cert will expire on 2019-01-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3.生成泛域名证书
(1)交互式方式创建泛域名证书
# ./certbot-auto certonly --manual --server https://acme-v02.api.letsencrypt.org/directory -m [email protected] -d *.ngrok.yuzq.org
certonly 表示仅生成证书, 不自动安装
--manual 表示以交互式方式创建证书, 或使用 --standalone 模式, certbot 会自动创建一个WebServer进行校验
--server 参数为当前使用的ACME协议版本, 这里需要特别注意的是, 只有V2版本才支持泛域名, certbot 工具默认的协议是V1. 因此如需创建泛域名证书, 则必须制定此参数, 且该参数值固定
-d 参数为域名, 可以存在多个参数, 表示多个域名
-m 参数为管理者邮箱
接下来有几步要确认
1.Are you OK with your IP being logged (Y)es/(N)o: Y
2.DNS验证
Please deploy a DNS TXT record under the name
_acme-challenge.ngrok.yuzq.org with the following value:
2qFoaQCrnvyuvUNQGVR0TqnalVjrFmNAJMhlxDMnmCU
Before continuing, verify the record is deployed.
到域名管理后台,添加一条txt解析记录,主机记录和记录值再提示信息中,如下
解析记录添加好了之后,再在控制台中敲击任意键进行验证,最终得到证书
(2)自动验证方式创建泛域名证书
注:不是所有的域名都能用自动验证方式创建证书,仅支持以下域名供应商,如阿里云是没有提供API来自动验证
# ./certbot-auto certonly --standalone -n --agree-tos -m [email protected] --preferred-challenges http -d *.ngrok.yuzq.org
-n 非交互式
--email 指定账户
--agree-tos 同意服务协议
-d 参数为域名, 可以存在多个参数, 表示多个域名
-m 参数为管理者邮箱
4.证书的有效期是90天,如果证书到期,可以重新更新
# ./certbot-auto renew
或
# /usr/local/webserver/cerbot/certbot-0.27.1/certbot-auto certonly --webroot -w /data/www/erp_doraemon_test/webapp -d erp.e10.cncn.net -d www.e10.cncn.net -d m.e10.cncn.net
也可以添加定时任务
# crontab -e
30 1 * * 1 ./www/server/certbot/certbot-auto renew >> /var/log/le-renew.log
每周一半夜1点30分执行renew任务
5.ngnix配置例子
server {
listen 80;
server_name yzq.ngrok.yuzq.org;
return 301 https://$server_name$request_uri;
}
server
{
listen 443 ssl;
server_name yzq.ngrok.yuzq.org;
index index.html index.php;
root /data/www/test;
include php56_ci.conf;
include extra.conf;
ssl on;
ssl_certificate /etc/letsencrypt/live/ngrok.yuzq.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ngrok.yuzq.org/privkey.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location /static/ {
location ~ .*\.(php)?$
{
deny all;
}
}
location /static_m/ {
location ~ .*\.(php)?$
{
deny all;
}
}
location / {
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php/$1 last;
}
}
access_log /www/logs/web/test.log;
}