有两种安装方式, 其一是手动的. 由于我已经将系统升级到debian8, 故应该可以用Cerbot自动安装证书.
- 添加backports到sources.list
首先确定原来的源是那种类型:
sudo cat /etc/apt/sources.list
我的是jessie
deb http://ftp.debian.org/debian jessie main contrib non-free
deb http://ftp.debian.org/debian jessie-updates main contrib non-free
deb http://security.debian.org jessie/updates main contrib non-free
故添加
sudo echo "deb http://ftp.debian.org/debian jessie-backports main" >>/etc/apt/sources.list
若为stretch, 这改为
sudo echo "deb http://ftp.debian.org/debian stretch-backports main" >>/etc/apt/sources.list
- 安装
jessie backports:
sudo apt-get update
sudo apt-get install certbot -t jessie-backports
sudo apt-get install python-certbot-nginx -t jessie-backports
- 为每个网站添加证书:
sudo certbot --nginx
这时会列出网站列表, 直接回车表示全选.
由于我以前为部分网站添加过证书, 此时会提示是否覆盖, 直接选E(expand and replace)即可.
如果提示tsl handshake失败的话, 可能是你网站配置的问题. 建议关闭cloudflare, 即DNS配置中使用直连, 不要经过cloudflare.
注意, debug log放在/var/log/letsencrypt/letsencrypt.log, 有问题的话可以查看.
成功后, 你会看到原来的nginx 网站配置文件已经新添加了ssl 证书的配置. 且显示消息
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxxx.yourdomain.com.cn/fullchain.pem. Your cert will
expire on 2019-01-24. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew all of your
certificates, run "certbot renew"If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
网友评论