部署 Let’s Encrypt 免费 SSL 证书&&自动续期
部署 Let’s Encrypt 免费 SSL 证书&&自动续期
免费 SSL 证书站点 https://letsencrypt.org/zh-cn/getting-started/
前提
- 需要有域名,它会生成指定域名的证书。(填 IP 会报错不支持的)
- 需要在域名指向的服务器上能访问 https。(不然会报找不到 443 端口的错误)
- 需要 linux 环境。
部署
获取 Let’s Encrypt
##获取安装工具
wget https://dl.eff.org/certbot-auto
##设置安装工具为可执行
chmod a+x certbot-auto
执行自动部署
./certbot-auto
部署过程中会下载一大堆的依赖包,不需要紧张。如果需要确认,(输入"y")确认就好了 这里注意下,在执行过程中,会卡在’Installing Python packages’,等待一段时间下载 Phthon lib
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.xxx.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.xxx.com/privkey.pem
Your cert will expire on 3030-09-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
注意:申请的免费证书有效期为 3 个月,到期后需要续期 可以手动执行
./certbot-auto renew
进行续期,也可以写一个自动执行命令进行续期
配置 nginx 的 ssl 服务
server {
listen 443 ssl;
server_name sample.com;
ssl_certificate /etc/letsencrypt/live/www.sample.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.sample.com/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
index index.html index.htm;
}
}
配置完成后,重启 nginx 即可。