Let’s Encrypt免费的https证书
Posted
申请Let's Encrypt 免费https证书脚本。他的证书有效期只有90天,但是可以用自动化脚本继约,所以还是不很错的选择。
1. letsencrypt.sh证书的生成
1.1 目录的生成
cd ~
git clone https://github.com/lukas2511/letsencrypt.sh
sudo mkdir -p /etc/letsencrypt.sh
sudo mkdir -p /var/www/letsencrypt.sh
sudo chown `whoami` -R /var/www/letsencrypt.sh
sudo chown `whoami` -R /etc/letsencrypt.sh
cp ~/letsencrypt.sh/docs/examples/config /etc/letsencrypt.sh/config
cp ~/letsencrypt.sh/docs/examples/domains.txt /etc/letsencrypt.sh/domains.txt
1.2 修改letsencrypt.sh配置
vi /etc/letsencrypt.sh/config
BASEDIR="/etc/letsencrypt.sh/"
WELLKNOWN="/var/www/letsencrypt.sh/"
vi /etc/letsencrypt.sh/domains.txt
91any.com www.91any.com
1.3 修改nginx的配置
server {
listen 80;
....
location /.well-known/acme-challenge {
allow all;
alias /var/www/letsencrypt.sh/;
}
...
}
在生成的证书的时候,需要确认域名的有效性如: http://foo.com/.well-known/acme-challenge/xxxxxxx_xxxxx
修改完了nginx的配置需要重启.
sudo /etc/init.d/nginx configtest
* Testing nginx configuration [OK ]
sudo /etc/init.d/nginx reload
* Reloading nginx configuration nginx [ OK ]
1.4 执行生成ssl证的脚本
~/letsencrypt.sh/letsencrypt.sh -c
## INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
Processing 91any.com with alternative names: www.91any.com
+ Signing domains...
+ Creating new directory /etc/letsencrypt.sh/certs/91any.com ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for 91any.com...
+ Requesting challenge for www.91any.com...
+ Responding to challenge for 91any.com...
+ Challenge is valid!
+ Responding to challenge for www.91any.com...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
说明生成功完必了。接下来让配置ssl证到nginx中
2. 配置ssl证到nginx
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
2.1 nginx的配置
sudo vi /etc/nginx/sites-enabled/qiangda_production
server {
listen 80;
listen 443 ssl;
## listen 443 ssl http2;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt.sh/certs/91any.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt.sh/certs/91any.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;## omit SSLv3 because of POODLE (CVE-2014-3566)
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
}
2.1 测试脚本并重启nginx
#可以测试具体哪一行出问题。
sudo nginx -c /etc/nginx/nginx.conf -t
sudo /etc/init.d/nginx restart
yeah!!! 打开成功了。
接下来配置每个月更新一次证书。
3. 添加自动更新的脚本。
mv ~/letsencrypt.sh /etc/letsencrypt.sh/
vi /etc/letsencrypt.sh/auto-renew.sh
/etc/letsencrypt.sh/letsencrypt.sh/letsencrypt.sh -c
sudo service nginx reload
- 把脚本改为可执行
chmod 777 /etc/letsencrypt.sh/auto-renew.sh
- 把默认的nano改成vim.如果你喜欢nano的话跳过这一步。
vim ~/.selected_editor
SELECTED_EDITOR="/usr/bin/vim.tiny"
- 添加日志目录
mkdir -p /etc/letsencrypt.sh/log
crontab -e
1 0 1 * * /etc/letsencrypt.sh/auto-renew.sh >> /etc/letsencrypt.sh/log/lets-encrypt.log 2>&1
重下cron的服务
sudo service cron restart
搞定!
- https://letsencrypt.org/
- http://herooutoftime.com/lets-encrypt-with-nginx
- https://www.textarea.com/zhicheng/fenxiang-yige-https-a-di-nginx-peizhi-320
- https://www.ssllabs.com/ssltest
- https://gist.github.com/plentz/6737338
- https://mozilla.github.io/server-side-tls/ssl-config-generator
- https://community.letsencrypt.org/t/elliptic-curve-cryptography-ecc-support/34
- letsencrypt new features
- https://imququ.com/post/letsencrypt-certificate.html
此文章 短链接: http://dlj.bz/EOlHVX
Tag Cloud
AFNetworking(1)
AngularJS(2)
Devise(1)
Devops(1)
Homebrew(1)
MacOSX(11)
Rails4(2)
TTS(1)
Unauthorized(1)
analysis(1)
android(1)
apache(2)
api(1)
assets(5)
backup(3)
blog(1)
bower(1)
bundle(2)
cache(1)
capistrano(2)
capistrano3(2)
centos(4)
chrome-extension(1)
crontab(1)
css(1)
curl(1)
data(2)
deploy(2)
dlj(1)
dropbox(3)
elasticsearch(1)
fqa(1)
gem(7)
geobean(1)
gfw(1)
gis(1)
git(4)
github(2)
gitlib(1)
google(1)
httpd(1)
iOS(2)
java(1)
javascript(2)
jekyll(1)
js(2)
letsencrypt(1)
linode(2)
linux(16)
memcached(1)
mongodb(5)
mongoid(2)
mongomapper(1)
mtr(1)
mysql(2)
newrelic(1)
nginx(7)
nodejs(1)
notejs(1)
observer(1)
octopress(1)
omniauth-oauth(1)
openlayers(1)
paginate(2)
passenger(2)
pipeline(1)
plugin(2)
production(1)
proxy(3)
rails(23)
rails3(4)
rake(1)
restful_authentication(1)
ruby(28)
rvm(6)
search(1)
siege(1)
sinatra(2)
skill(7)
socks(1)
solr(1)
sql(2)
sqlserver(1)
ssh(6)
ssl(1)
story(4)
sublime-text(3)
sunspot(1)
sweeper(1)
theme(1)
tile(1)
tools(1)
ubuntu(19)
vagrantbox(2)
vps(2)
web(1)
webkit(1)
webpack(1)
win(3)
xcode(2)
yarn(1)
yum(1)
佛(3)
创业(1)
压力测试(2)
正则(1)
转载(7)