证书申请
自从StartSSL、Wosign被不信任了以后,Let’s Encrypt变成了最知名、最可靠的免费证书。
# 下载
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
认证,需要一段时间,期间会询问您是否同意协议等,按 A、Y
./letsencrypt-auto certonly --webroot --email name@your_main_domain.com -d www.s2c.site -w /home/ly/www/s2csite/
- email 后面写邮箱
- d 后面写域名
- w 后面写网站目录
成功后会提示:告诉你证书的路径
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.s2c.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.s2c.site/privkey.pem
Your cert will expire on 2018-03-20. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
nginx 配置
在nginx配置文件中如下设置,可参考官方教程:
https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
将证书加入配置文件
server {
listen 443;
ssl on;
root /home/ly/www/s2csite;
index index.html index.htm index.php;
server_name www.s2c.site;
ssl_certificate /etc/letsencrypt/live/www.s2c.site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.s2c.site/privkey.pem;
}
http 自动 跳转到 https
server {
listen 80;
server_name www.s2c.site;
location / {
rewrite ^(.*) https://server_name1 permanent;
}
}
自动更新
由于证书有效期只有90天,官方建议每隔60天更新一次证书。我们建立一个.sh文件,用Cron定时任务去执行他
#!/bin/sh
# This script renews all the Let's Encrypt certificates with a validity < 30 days
if ! /home/ly/ssl/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then
echo Automated renewal failed:
cat /var/log/letsencrypt/renew.log
exit 1
fi
将该文件赋予755权限(w+r),并添加计划任务
crontab -e
#
* * 1 * * /bin/sh /home/ly/ssl/renewCerts.sh