1.安装certbot
yum install certbot
出现以下错误
Failed:
python-urllib3.noarch 0:1.10.2-5.el7
pip安装python urllib3模块
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3
查看帮助
certbot -h
出现以下,则安装成功
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
(the certbot apache plugin is not installed)
--standalone Run a standalone webserver for authentication
(the certbot nginx plugin is not installed)
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path)
delete Delete a certificate
manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2.生成证书
certbot certonly --webroot -w /usr/local/html -d www.test.com
证书生成地址
/etc/letsencrypt/live/www.test.com
3.nginx配置
server{
listen 443 ssl;
server_name www.test.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem; #2
ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem; #3
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
error_page 403 /error.html;
error_page 404 /error/404.html;
location = /error.html {
root /home/tomcat/web/;
allow all;
}
location /error/ {
root /usr/local/nginx_html;
allow all;
}
location / {
root /usr/local/html;
index index.html index.htm;
}
}
重定向配置
server {
listen *:80;
server_name www.test.com ; #如果有多个域名跳转到这个服务器 用空格隔开就行
return 301 https://www.test.com/;
}
4.重启nginx,浏览器访问地址可看到证书
5.续期
certbot生成证书有3个月期限 到期需要续期
续期指令(进入certbot安装目录,续期前需要关闭nginx)
./letsencrypt-auto renew --force-renew