摘要:官網(wǎng)安裝安裝非常簡單直接克隆就可以了生成通配符證書期間需要根據(jù)提示設(shè)置記錄用作你對判斷你是否擁有域名使用權(quán)其中換成你的一級域名即可參數(shù)說明表示安裝模式�����,有安裝模式和驗(yàn)證模式兩種類型的插件�����。
官網(wǎng):https://letsencrypt.org/
安裝Let"s Encrypt
安裝非常簡單直接克隆就可以了
git clone https://github.com/letsencrypt/letsencrypt
生成通配符證書
期間需要根據(jù)提示設(shè)置DNS TXT記錄,用作你對判斷你是否擁有域名使用權(quán)
cd letsencrypt
./certbot-auto certonly -d *.you.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
其中"you.cn"換成你的一級域名即可
| 參數(shù) |
說明 |
| certonly |
表示安裝模式,Certbot 有安裝模式和驗(yàn)證模式兩種類型的插件��。 |
| --manual |
表示手動安裝插件��,Certbot 有很多插件�,不同的插件都可以申請證書,用戶可以根據(jù)需要自行選擇 |
| -d |
為那些主機(jī)申請證書��,如果是通配符�����,輸入 *.you.cn(可以替換為你自己的一級域名) |
| --preferred-challenges dns |
使用 DNS 方式校驗(yàn)域名所有權(quán) |
| --server |
Let"s Encrypt ACME v2 版本使用的服務(wù)器不同于 v1 版本�����,需要顯示指定����。 |
接著可以看到下面界面結(jié)果:
Dependency Installed:
dwz.x86_64 0:0.11-3.el7 perl-srpm-macros.noarch 0:1-8.el7 tcl.x86_64 1:8.5.13-8.el7 tix.x86_64 1:8.4.3-12.el7 tk.x86_64 1:8.5.13-6.el7 tkinter.x86_64 0:2.7.5-69.el7_5
Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter "c" to
cancel): [email protected]
接下來需要輸入些指令
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let"s Encrypt project and the non-profit
organization that develops Certbot? We"d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for kuaichuangkeji.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you"re running certbot in manual mode on a machine that is not
your server, please ensure you"re okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
這里有幾個需交互的提示
是否同意 Let"s Encrypt 協(xié)議要求=>需要同意
是否分享你的郵箱
詢問是否對域名和機(jī)器(IP)進(jìn)行綁定=>需要同意
需要注意的地方:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.you.cn with the following value:
RYtObhDvEcXewZckknNQkBKIkvwIlbb4PNRel74LNwU
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
要求配置 DNS TXT 記錄,從而校驗(yàn)域名所有權(quán)�����,也就是判斷證書申請者是否有域名的所有權(quán)�����。
上面輸出要求給 _acme-challenge.you.cn 配置一條 TXT 記錄,在沒有確認(rèn) TXT 記錄生效之前不要回車執(zhí)行�����。
我用的是阿里云的域名服務(wù)器����,控制臺具體操作如下圖所示:
確認(rèn)生效后,回車執(zhí)行��,輸出如下
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/you.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/you.cn/privkey.pem
Your cert will expire on 2019-02-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let"s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
看到這個界面內(nèi)容的話����,恭喜你,證書安裝成功了���。
證書續(xù)簽
注:證書在到期前30天才會續(xù)簽成功,但為了確保證書在運(yùn)行過程中不過期,官方建議每天自動執(zhí)行續(xù)簽兩次;
使用crontab自動續(xù)期
crontab -e // 編輯定時任務(wù)
0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"
需要注意"/etc/init.d/nginx reload"為nginx重啟命令�,需要根據(jù)自己服務(wù)器的重啟命令重啟即可��;這里建議使用reload����,不推薦使用restart,因?yàn)檫@樣萬一配錯了���,也不會影響服務(wù)器其他項(xiàng)目的運(yùn)行
證書保存的路徑[配置nginx需要用到的]
/etc/letsencrypt/live/you.cn/fullchain.pem
/etc/letsencrypt/live/you.cn/privkey.pem
nginx 開啟 https
證書生成完成后可以到 /etc/letsencrypt/live/ 目錄下查看對應(yīng)域名的證書文件�。編輯 nginx 配置文件監(jiān)聽 443 端口���,啟用 SSL����,并配置 SSL 的公鑰��、私鑰證書路徑:
server {
listen 443 ssl;
server_name you.cn;
root /home/www/you;
index index.html index.htm index.php;
ssl on;
ssl_certificate /etc/letsencrypt/live/you.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/you.cn/privkey.pem;
...
}
添加 HTTP 自動跳轉(zhuǎn)到 HTTPS:
server {
listen 80;
server_name you.cn;
location / {
rewrite ^(.*)$ https://$host$1 permanent;
}
}
配置好nginx后���,重啟nginx
證書安裝成功后�����,該域名下的所有二級域名都可以使用噢
取消證書
可以使用一下命令取消剛剛生成的密匙�,也就是以上的反操作:
certbot revoke --cert-path /etc/letsencrypt/live/you.cn/cert.pem
certbot delete --cert-name you.cn
參考的網(wǎng)址有
https://sanonz.github.io/2017..."s-encrypt-free-ssl-https/
https://www.jianshu.com/p/c5c...
https://segmentfault.com/a/11...
https://www.jianshu.com/p/e32...
https://segmentfault.com/a/11...
https://segmentfault.com/a/11...
https://wp.wt629.com/archives...
https://www.yiichina.com/tuto...
文章版權(quán)歸作者所有�����,未經(jīng)允許請勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除����。
轉(zhuǎn)載請注明本文地址:http://systransis.cn/yun/40225.html
