Let’s Encrypt免费的https证书

申请Let’s Encrypt 免费https证书脚本。他的证书有效期只有90天,但是可以用自动化脚本继约,所以还是不很错的选择。

1. letsencrypt.sh证书的生成

1.1 目录的生成

1
2
3
4
5
6
7
8
9
10
11
cd ~
git clone https://github.com/lukas2511/letsencrypt.sh

sudo mkdir -p /etc/letsencrypt.sh
sudo mkdir -p /var/www/letsencrypt.sh

sudo chown `whoami` -R /var/www/letsencrypt.sh
sudo chown `whoami` -R /etc/letsencrypt.sh

cp ~/letsencrypt.sh/docs/examples/config /etc/letsencrypt.sh/config
cp ~/letsencrypt.sh/docs/examples/domains.txt /etc/letsencrypt.sh/domains.txt

1.2 修改letsencrypt.sh配置

vi /etc/letsencrypt.sh/config

1
2
BASEDIR="/etc/letsencrypt.sh/"
WELLKNOWN="/var/www/letsencrypt.sh/"

vi /etc/letsencrypt.sh/domains.txt

1
91any.com www.91any.com

1.3 修改nginx的配置

1
2
3
4
5
6
7
8
9
10
server {
  listen 80;
  ....

  location /.well-known/acme-challenge {
    allow all;
    alias /var/www/letsencrypt.sh/;
  }
  ...
}

在生成的证书的时候,需要确认域名的有效性如: http://foo.com/.well-known/acme-challenge/xxxxxxx_xxxxx

修改完了nginx的配置需要重启.

1
2
3
4
5
sudo /etc/init.d/nginx configtest
* Testing nginx configuration              [OK ]

sudo /etc/init.d/nginx reload
 * Reloading nginx configuration nginx     [ OK ]

1.4 执行生成ssl证的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
~/letsencrypt.sh/letsencrypt.sh -c

## INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
Processing 91any.com with alternative names: www.91any.com
 + Signing domains...
 + Creating new directory /etc/letsencrypt.sh/certs/91any.com ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for 91any.com...
 + Requesting challenge for www.91any.com...
 + Responding to challenge for 91any.com...
 + Challenge is valid!
 + Responding to challenge for www.91any.com...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

说明生成功完必了。接下来让配置ssl证到nginx中

2. 配置ssl证到nginx

1
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

2.1 nginx的配置

sudo vi /etc/nginx/sites-enabled/qiangda_production

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
server {
  listen 80;
  listen       443 ssl;
  ## listen 443 ssl http2;
  listen       [::]:443 ssl;

  ssl on;
  ssl_certificate /etc/letsencrypt.sh/certs/91any.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt.sh/certs/91any.com/privkey.pem;

  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;## omit SSLv3 because of POODLE (CVE-2014-3566)
  ssl_stapling on;
  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
  ssl_prefer_server_ciphers on;
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

}

2.1 测试脚本并重启nginx

1
2
3
#可以测试具体哪一行出问题。
sudo nginx -c /etc/nginx/nginx.conf -t
sudo /etc/init.d/nginx restart

yeah!!! 打开成功了。

接下来配置每个月更新一次证书。

3. 添加自动更新的脚本。

1
mv ~/letsencrypt.sh /etc/letsencrypt.sh/

vi /etc/letsencrypt.sh/auto-renew.sh

1
2
/etc/letsencrypt.sh/letsencrypt.sh/letsencrypt.sh -c
sudo service nginx reload
  • 把脚本改为可执行
1
chmod 777 /etc/letsencrypt.sh/auto-renew.sh
  • 把默认的nano改成vim.如果你喜欢nano的话跳过这一步。

vim ~/.selected_editor

1
SELECTED_EDITOR="/usr/bin/vim.tiny"
  • 添加日志目录
1
mkdir -p /etc/letsencrypt.sh/log

crontab -e

1
1 0 1 * * /etc/letsencrypt.sh/auto-renew.sh >> /etc/letsencrypt.sh/log/lets-encrypt.log 2>&1

重下cron的服务

sudo service cron restart

搞定!

原文地址:http://dlj.bz/QcN6jA

Comments