wget https://dl.eff.org/certbot-auto // 获取certbot-auto 客户端
chmod a+x certbot-auto
mv certbot-auto /usr/local/bin/ // 移动到这个目录方便全局调用 sudo certbot-auto [options]
certbot-auto // 安装各种依赖和配置
生成证书
certbot-auto certonly --webroot -w 网站根目录 -d 网站域名
出现以下信息表示成功
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert
will expire on 2018-11-15. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
配置nginx
server {
listen 443 ssl;
server_name xxx.com;
root /var/www/html/af/web;
index index.php;
ssl_certificate /etc/letsencrypt/live/af.opfansu.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/af.opfansu.top/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/af.opfansu.top/chain.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
index index.php;
}
#php解析
location ~ \.php {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$; #增加这一句
fastcgi_param PATH_INFO $fastcgi_path_info; #增加这一句
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
监听80端口跳转到https
server {
listen 80;
server_name af.opfansu.top;
root /var/www/html/af/web;
index index.php;
location / {
rewrite ^(.*) https://$server_name$1 permanent;
}
}
ps:重启nginx报错 nginx:[emerg]unknown directive "ssl" ,这是nginx缺少ssl模块,要重新编译
nginx编译ssl
免费证书90天会过期
手动续签
certbot renew --agree-tos --dry-run // --agree-tos 表示同意默认 --dry-run 表示模拟 真实续签去掉 --dry-run 即可
自动续签
crontab -e
0 0 1 * * /usr/local/bin/certbot renew --renew-hook "service nginx reload"
回收证书
//revoke 撤销证书
certbot-auto revoke --cert-path /etc/letsencrypt/live/XXX.com/cert.pem
//删除证书
certbot-auto delete --cert-name xxx.com