Let’s Encrypt免费的https证书
申请Let's Encrypt 免费https证书脚本。他的证书有效期只有90天,但是可以用自动化脚本继约,所以还是不很错的选择。
1. letsencrypt.sh证书的生成
1.1 目录的生成
cd ~
git clone https://github.com/lukas2511/letsencrypt.sh
sudo mkdir -p /etc/letsencrypt.sh
sudo mkdir -p /var/www/letsencrypt.sh
sudo chown `whoami` -R /var/www/letsencrypt.sh
sudo chown `whoami` -R /etc/letsencrypt.sh
cp ~/letsencrypt.sh/docs/examples/config /etc/letsencrypt.sh/config
cp ~/letsencrypt.sh/docs/examples/domains.txt /etc/letsencrypt.sh/domains.txt
1.2 修改letsencrypt.sh配置
vi /etc/letsencrypt.sh/config
BASEDIR="/etc/letsencrypt.sh/"
WELLKNOWN="/var/www/letsencrypt.sh/"
vi /etc/letsencrypt.sh/domains.txt
91any.com www.91any.com
1.3 修改nginx的配置
server {
listen 80;
....
location /.well-known/acme-challenge {
allow all;
alias /var/www/letsencrypt.sh/;
}
...
}
在生成的证书的时候,需要确认域名的有效性如: http://foo.com/.well-known/acme-challenge/xxxxxxx_xxxxx
修改完了nginx的配置需要重启.
sudo /etc/init.d/nginx configtest
* Testing nginx configuration [OK ]
sudo /etc/init.d/nginx reload
* Reloading nginx configuration nginx [ OK ]
1.4 执行生成ssl证的脚本
~/letsencrypt.sh/letsencrypt.sh -c
## INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
Processing 91any.com with alternative names: www.91any.com
+ Signing domains...
+ Creating new directory /etc/letsencrypt.sh/certs/91any.com ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for 91any.com...
+ Requesting challenge for www.91any.com...
+ Responding to challenge for 91any.com...
+ Challenge is valid!
+ Responding to challenge for www.91any.com...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
说明生成功完必了。接下来让配置ssl证到nginx中
2. 配置ssl证到nginx
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
2.1 nginx的配置
sudo vi /etc/nginx/sites-enabled/qiangda_production
server {
listen 80;
listen 443 ssl;
## listen 443 ssl http2;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt.sh/certs/91any.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt.sh/certs/91any.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;## omit SSLv3 because of POODLE (CVE-2014-3566)
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
}
2.1 测试脚本并重启nginx
#可以测试具体哪一行出问题。
sudo nginx -c /etc/nginx/nginx.conf -t
sudo /etc/init.d/nginx restart
yeah!!! 打开成功了。
接下来配置每个月更新一次证书。
3. 添加自动更新的脚本。
mv ~/letsencrypt.sh /etc/letsencrypt.sh/
vi /etc/letsencrypt.sh/auto-renew.sh
/etc/letsencrypt.sh/letsencrypt.sh/letsencrypt.sh -c
sudo service nginx reload
- 把脚本改为可执行
chmod 777 /etc/letsencrypt.sh/auto-renew.sh
- 把默认的nano改成vim.如果你喜欢nano的话跳过这一步。
vim ~/.selected_editor
SELECTED_EDITOR="/usr/bin/vim.tiny"
- 添加日志目录
mkdir -p /etc/letsencrypt.sh/log
crontab -e
1 0 1 * * /etc/letsencrypt.sh/auto-renew.sh >> /etc/letsencrypt.sh/log/lets-encrypt.log 2>&1
重下cron的服务
sudo service cron restart
搞定!
- https://letsencrypt.org/
- http://herooutoftime.com/lets-encrypt-with-nginx
- https://www.textarea.com/zhicheng/fenxiang-yige-https-a-di-nginx-peizhi-320
- https://www.ssllabs.com/ssltest
- https://gist.github.com/plentz/6737338
- https://mozilla.github.io/server-side-tls/ssl-config-generator
- https://community.letsencrypt.org/t/elliptic-curve-cryptography-ecc-support/34
- letsencrypt new features
- https://imququ.com/post/letsencrypt-certificate.html