Certbot-auto 免费 SSL 证书实现 HTTPS

一、下载Certbot-auto客户端

wget https://dl.eff.org/certbot-auto   #下载
chmod a+x  certbot-auto                #分配执行权限
./certbot-auto --help                  #查看帮助

二、配置nginx

server
{
    listen 80;
    server_name xxx.com www.xxx.com;
    index index.php index.html index.htm;
    root /www/wwwroot/xxx.com;

    #一键申请SSL证书验证目录相关设置
    location ^~ /.well-known/acme-challenge/ {
    	default_type "text/plain";
    	root     /home/wwwroot/linuxstory.org/;
    }
 
    location = /.well-known/acme-challenge/ {
    	return 404;
    }
    
    access_log  /www/wwwlogs/xxx.com.log;
    error_log  /www/wwwlogs/xxx.com.error.log;
}

重启nginx服务器

./usr/local/nginx/sbin/nginx -s reload

三、生成ssl证书

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /www/wwwroot/xxx.com  -d www.xxx.com
./certbot-auto certonly --email [邮箱] --agree-tos --no-eff-email --webroot -w [项目目录]  -d  [域名]

生成成功
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.xxx.com/fullchain.pem          #公钥地址
   Your key file has been saved at:
   /etc/letsencrypt/live/www.xxx.com/privkey.pem            #私钥地址
   Your cert will expire on 2019-08-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

四、继续配置nginx

server{
	listen 80;
    server_name xxx.com www.xxx.com;
    return 301 https://www.xxx.com$request_uri;
}
server
{
    listen 443 ssl http2;
    server_name xxx.com www.xxx.com;
    index index.php index.html index.htm;
    root /www/wwwroot/xxx.com;
    
    ssl_certificate /etc/letsencrypt/live/www.xxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.xxx.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/www.xxx.com/chain.pem;
    
    #禁止访问的文件或目录
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }
    
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires      30d;
        error_log off;
        access_log /dev/null;
    }
    
    location ~ .*\.(js|css)?$
    {
        expires      12h;
        error_log off;
        access_log /dev/null; 
    }
    access_log  /www/wwwlogs/xxx.com.log;
    error_log  /www/wwwlogs/xxx.com.error.log;
}

五、证书续签相关

1、查看证书有效期,到期时间

./certbot-auto certificates
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
    Certificate Name: www.xxx.com
    Domains: www.xxx.com
    Expiry Date: 2019-08-14 06:33:04+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.xxx.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.xxx.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

openssl x509 -noout -dates -in /etc/letsencrypt/live/www.xxx.com/cert.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notBefore=May 16 06:33:04 2019 GMT
notAfter=Aug 14 06:33:04 2019 GMT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2、更新

# 更新证书
./certbot-auto renew --dry-run

# 如果不需要返回的信息,可以用静默方式
certbot renew --quiet

#手动更新
./certbot-auto renew -v

#自动更新
./certbot-auto renew --quiet --no-self-upgrade

#定时更新
加入定时任务  crontab -e 
0 4 1 */2 *  /usr/bin/certbot-auto  renew --quiet    #每两个月的一号凌晨4点更新一次

你可能感兴趣的:(Certbot-auto 免费 SSL 证书实现 HTTPS)