Let’s Encrypt免费的https证书

Aug 11, 2016

申请Let's Encrypt 免费https证书脚本。他的证书有效期只有90天，但是可以用自动化脚本继约，所以还是不很错的选择。

1. letsencrypt.sh证书的生成

1.1 目录的生成

cd ~
git clone https://github.com/lukas2511/letsencrypt.sh

sudo mkdir -p /etc/letsencrypt.sh
sudo mkdir -p /var/www/letsencrypt.sh

sudo chown `whoami` -R /var/www/letsencrypt.sh
sudo chown `whoami` -R /etc/letsencrypt.sh

cp ~/letsencrypt.sh/docs/examples/config /etc/letsencrypt.sh/config
cp ~/letsencrypt.sh/docs/examples/domains.txt /etc/letsencrypt.sh/domains.txt

1.2 修改letsencrypt.sh配置

vi /etc/letsencrypt.sh/config

BASEDIR="/etc/letsencrypt.sh/"
WELLKNOWN="/var/www/letsencrypt.sh/"

vi /etc/letsencrypt.sh/domains.txt

91any.com www.91any.com

1.3 修改nginx的配置

server {
  listen 80;
  ....

  location /.well-known/acme-challenge {
    allow all;
    alias /var/www/letsencrypt.sh/;
  }
  ...
}

在生成的证书的时候，需要确认域名的有效性如： http://foo.com/.well-known/acme-challenge/xxxxxxx_xxxxx

修改完了nginx的配置需要重启.

sudo /etc/init.d/nginx configtest
* Testing nginx configuration              [OK ]

sudo /etc/init.d/nginx reload
 * Reloading nginx configuration nginx     [ OK ]

1.4 执行生成ssl证的脚本

~/letsencrypt.sh/letsencrypt.sh -c

## INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
Processing 91any.com with alternative names: www.91any.com
 + Signing domains...
 + Creating new directory /etc/letsencrypt.sh/certs/91any.com ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for 91any.com...
 + Requesting challenge for www.91any.com...
 + Responding to challenge for 91any.com...
 + Challenge is valid!
 + Responding to challenge for www.91any.com...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

说明生成功完必了。接下来让配置ssl证到nginx中

2. 配置ssl证到nginx

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

2.1 nginx的配置

sudo vi /etc/nginx/sites-enabled/qiangda_production

server {
  listen 80;
  listen       443 ssl;
  ## listen 443 ssl http2;
  listen       [::]:443 ssl;

  ssl on;
  ssl_certificate /etc/letsencrypt.sh/certs/91any.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt.sh/certs/91any.com/privkey.pem;

  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;## omit SSLv3 because of POODLE (CVE-2014-3566)
  ssl_stapling on;
  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
  ssl_prefer_server_ciphers on;
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

}

2.1 测试脚本并重启nginx

#可以测试具体哪一行出问题。
sudo nginx -c /etc/nginx/nginx.conf -t
sudo /etc/init.d/nginx restart

yeah!!! 打开成功了。

接下来配置每个月更新一次证书。

3. 添加自动更新的脚本。

mv ~/letsencrypt.sh /etc/letsencrypt.sh/

vi /etc/letsencrypt.sh/auto-renew.sh

/etc/letsencrypt.sh/letsencrypt.sh/letsencrypt.sh -c
sudo service nginx reload

把脚本改为可执行

chmod 777 /etc/letsencrypt.sh/auto-renew.sh

把默认的nano改成vim.如果你喜欢nano的话跳过这一步。

vim ~/.selected_editor

SELECTED_EDITOR="/usr/bin/vim.tiny"

mkdir -p /etc/letsencrypt.sh/log

crontab -e

1 0 1 * * /etc/letsencrypt.sh/auto-renew.sh >> /etc/letsencrypt.sh/log/lets-encrypt.log 2>&1

重下cron的服务

sudo service cron restart

搞定！