证书申请

自从StartSSL、Wosign被不信任了以后,Let’s Encrypt变成了最知名、最可靠的免费证书。

官网 https://letsencrypt.org/

# 下载
git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

认证,需要一段时间,期间会询问您是否同意协议等,按 A、Y

./letsencrypt-auto certonly --webroot --email name@your_main_domain.com -d www.s2c.site -w /home/ly/www/s2csite/
  • email 后面写邮箱
  • d 后面写域名
  • w 后面写网站目录

成功后会提示:告诉你证书的路径

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.s2c.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.s2c.site/privkey.pem
   Your cert will expire on 2018-03-20. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

nginx 配置

在nginx配置文件中如下设置,可参考官方教程:
https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/

将证书加入配置文件

server {
    listen 443;
    ssl on;
    root /home/ly/www/s2csite;
    index index.html index.htm index.php;
    server_name www.s2c.site;
    ssl_certificate /etc/letsencrypt/live/www.s2c.site/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.s2c.site/privkey.pem;
}

http 自动 跳转到 https

server {
    listen 80;
    server_name www.s2c.site;
    location / {
        rewrite ^(.*) https://server_name1 permanent;
    }
}

自动更新

由于证书有效期只有90天,官方建议每隔60天更新一次证书。我们建立一个.sh文件,用Cron定时任务去执行他

#!/bin/sh
# This script renews all the Let's Encrypt certificates with a validity < 30 days

if ! /home/ly/ssl/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then
    echo Automated renewal failed:
    cat /var/log/letsencrypt/renew.log
    exit 1
fi

将该文件赋予755权限(w+r),并添加计划任务

crontab -e
#
* * 1 * * /bin/sh /home/ly/ssl/renewCerts.sh