版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/u010277446/article/details/80365307
Let’s Encrypt部署Https证书
安装Certbot
1.安装certbot
apt -t jessie-backports install certbot
证书生成过程
1.配置nginx
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /home/workspace/www;
}
location = /.well-known/acme-challenge/ {
return 404;
}
2.生成证书
certbot certonly -d www.example.cn
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.example.cn
Select the webroot for www.example.cn:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for www.example.cn: (Enter 'c' to cancel):/home/workspace/www/
3.成功
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.example.cn/fullchain.pem. Your cert will
expire on 2018-02-25. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
4.设置nginx配置https证书
- 侦听80端口,将所有80请求强制转到https请求
server {
#监听端口, http强制转到https
listen 80;
server_name www.example.cn;
return 301 https://$server_name$request_uri;
}
- 配置https证书
server {
# listen 80;
listen 443 ssl ;
server_name www.example.cn;
ssl_certificate /etc/letsencrypt/live/www.example.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.cn/privkey.pem;
# ....
}
证书自动更新
1.模拟证书更新
certbot renew --dry-run
2.设置定时任务
crontab -e
10 3 */15 * * certbot renew >> /var/log/nginx/certrenew.log