美文网首页DevOps/SRE
Let's Encrypt 安装配置教程,免费的 SSL 证书

Let's Encrypt 安装配置教程,免费的 SSL 证书

作者: willeny | 来源:发表于2018-11-29 16:44 被阅读0次

    官网:https://letsencrypt.org/

    安装Let's Encrypt

    安装非常简单直接克隆就可以了

    git clone https://github.com/letsencrypt/letsencrypt
    

    生成通配符证书

    期间需要根据提示设置DNS TXT记录,用作你对判断你是否拥有域名使用权

     cd letsencrypt
    ./certbot-auto certonly  -d *.you.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
    

    其中"you.cn"换成你的一级域名即可

    参数 说明
    certonly 表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
    --manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
    -d 为那些主机申请证书,如果是通配符,输入 *.you.cn(可以替换为你自己的一级域名)
    --preferred-challenges dns 使用 DNS 方式校验域名所有权
    --server Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。

    接着可以看到下面界面结果:

    Dependency Installed:
      dwz.x86_64 0:0.11-3.el7             perl-srpm-macros.noarch 0:1-8.el7             tcl.x86_64 1:8.5.13-8.el7             tix.x86_64 1:8.4.3-12.el7             tk.x86_64 1:8.5.13-6.el7             tkinter.x86_64 0:2.7.5-69.el7_5            
    
    Complete!
    Creating virtual environment...
    Installing Python packages...
    Installation succeeded.
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Enter email address (used for urgent renewal and security notices) (Enter 'c' to
    cancel): 123@163.com
    
    

    接下来需要输入些指令

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please read the Terms of Service at
    https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
    agree in order to register with the ACME server at
    https://acme-v02.api.letsencrypt.org/directory
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (A)gree/(C)ancel: A
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Would you be willing to share your email address with the Electronic Frontier
    Foundation, a founding partner of the Let's Encrypt project and the non-profit
    organization that develops Certbot? We'd like to send you email about our work
    encrypting the web, EFF news, campaigns, and ways to support digital freedom.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: N
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for kuaichuangkeji.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: Y
    
    

    这里有几个需交互的提示

    • 是否同意 Let's Encrypt 协议要求=>需要同意
    • 是否分享你的邮箱
    • 询问是否对域名和机器(IP)进行绑定=>需要同意

    需要注意的地方:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.you.cn with the following value:
    
    RYtObhDvEcXewZckknNQkBKIkvwIlbb4PNRel74LNwU
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    Waiting for verification...
    Cleaning up challenges
    

    要求配置 DNS TXT 记录,从而校验域名所有权,也就是判断证书申请者是否有域名的所有权。

    上面输出要求给 _acme-challenge.you.cn 配置一条 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。

    我用的是阿里云的域名服务器,控制台具体操作如下图所示:

    服务器域名dns配置

    确认生效后,回车执行,输出如下

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/you.cn/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/you.cn/privkey.pem
       Your cert will expire on 2019-02-27. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    

    看到这个界面内容的话,恭喜你,证书安装成功了。

    证书续签

    注:证书在到期前30天才会续签成功,但为了确保证书在运行过程中不过期,官方建议每天自动执行续签两次;
    使用crontab自动续期

    crontab -e // 编辑定时任务
    0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"
    
    • 需要注意"/etc/init.d/nginx reload"为nginx重启命令,需要根据自己服务器的重启命令重启即可;这里建议使用reload,不推荐使用restart,因为这样万一配错了,也不会影响服务器其他项目的运行

    证书保存的路径[配置nginx需要用到的]

    /etc/letsencrypt/live/you.cn/fullchain.pem
    /etc/letsencrypt/live/you.cn/privkey.pem
    

    nginx 开启 https

    证书生成完成后可以到 /etc/letsencrypt/live/ 目录下查看对应域名的证书文件。编辑 nginx 配置文件监听 443 端口,启用 SSL,并配置 SSL 的公钥、私钥证书路径:

    server {
       listen   443 ssl;
       server_name  you.cn;
       root /home/www/you;
       index  index.html index.htm index.php;
    
        ssl on;
        ssl_certificate /etc/letsencrypt/live/you.cn/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/you.cn/privkey.pem;
        ...
    }
    

    添加 HTTP 自动跳转到 HTTPS:

    server {
        listen 80;
        server_name you.cn;
        location / {
            rewrite ^(.*)$  https://$host$1 permanent;
        }
    }
    
    配置好nginx后,重启nginx
    证书安装成功后,该域名下的所有二级域名都可以使用噢

    取消证书

    可以使用一下命令取消刚刚生成的密匙,也就是以上的反操作:

    certbot revoke --cert-path /etc/letsencrypt/live/you.cn/cert.pem
    certbot delete --cert-name you.cn
    
    参考的网址有

    相关文章

      网友评论

        本文标题:Let's Encrypt 安装配置教程,免费的 SSL 证书

        本文链接:https://www.haomeiwen.com/subject/essfcqtx.html