Let's Encrypt 安裝配置教程，免費的 SSL 證書

官網：https://letsencrypt.org/

安裝Let's Encrypt

安裝很是簡單直接克隆就能夠了

git clone https://github.com/letsencrypt/letsencrypt

生成通配符證書

期間須要根據提示設置DNS TXT記錄,用做你對判斷你是否擁有域名使用權

cd letsencrypt
./certbot-auto certonly  -d *.you.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

其中"you.cn"換成你的一級域名便可

參數	說明
certonly	表示安裝模式，Certbot 有安裝模式和驗證模式兩種類型的插件。
--manual	表示手動安裝插件，Certbot 有不少插件，不一樣的插件均可以申請證書，用戶能夠根據須要自行選擇
-d	爲那些主機申請證書，若是是通配符，輸入 *.you.cn（能夠替換爲你本身的一級域名）
--preferred-challenges dns	使用 DNS 方式校驗域名全部權
--server	Let's Encrypt ACME v2 版本使用的服務器不一樣於 v1 版本，須要顯示指定。

接着能夠看到下面界面結果：

Dependency Installed:
  dwz.x86_64 0:0.11-3.el7             perl-srpm-macros.noarch 0:1-8.el7             tcl.x86_64 1:8.5.13-8.el7             tix.x86_64 1:8.4.3-12.el7             tk.x86_64 1:8.5.13-6.el7             tkinter.x86_64 0:2.7.5-69.el7_5            

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 123@163.com

接下來須要輸入些指令

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for kuaichuangkeji.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

這裏有幾個需交互的提示

• 是否贊成 Let's Encrypt 協議要求=>須要贊成
• 是否分享你的郵箱
• 詢問是否對域名和機器（IP）進行綁定=>須要贊成

須要注意的地方：

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.you.cn with the following value:

RYtObhDvEcXewZckknNQkBKIkvwIlbb4PNRel74LNwU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

要求配置 DNS TXT 記錄，從而校驗域名全部權，也就是判斷證書申請者是否有域名的全部權。

上面輸出要求給 _acme-challenge.you.cn 配置一條 TXT 記錄，在沒有確認 TXT 記錄生效以前不要回車執行。

我用的是阿里雲的域名服務器，控制檯具體操做以下圖所示：

確認生效後，回車執行，輸出以下

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/you.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/you.cn/privkey.pem
   Your cert will expire on 2019-02-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

看到這個界面內容的話，恭喜你，證書安裝成功了。

證書續簽

注:證書在到期前30天才會續簽成功,但爲了確保證書在運行過程當中不過時,官方建議天天自動執行續簽兩次;
使用crontab自動續期

crontab -e // 編輯定時任務
0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"

• 須要注意"/etc/init.d/nginx reload"爲nginx重啓命令，須要根據本身服務器的重啓命令重啓便可；這裏建議使用reload，不推薦使用restart，由於這樣萬一配錯了，也不會影響服務器其餘項目的運行

證書保存的路徑[配置nginx須要用到的]

/etc/letsencrypt/live/you.cn/fullchain.pem
/etc/letsencrypt/live/you.cn/privkey.pem

nginx 開啓 https

證書生成完成後能夠到 /etc/letsencrypt/live/ 目錄下查看對應域名的證書文件。編輯 nginx 配置文件監聽 443 端口，啓用 SSL，並配置 SSL 的公鑰、私鑰證書路徑：

server {
   listen   443 ssl;
   server_name  you.cn;
   root /home/www/you;
   index  index.html index.htm index.php;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/you.cn/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/you.cn/privkey.pem;
    ...
}

添加 HTTP 自動跳轉到 HTTPS：

server {
    listen 80;
    server_name you.cn;
    location / {
        rewrite ^(.*)$  https://$host$1 permanent;
    }
}

配置好nginx後，重啓nginx

證書安裝成功後，該域名下的全部二級域名均可以使用噢

取消證書

可使用一下命令取消剛剛生成的密匙，也就是以上的反操做：

certbot revoke --cert-path /etc/letsencrypt/live/you.cn/cert.pem
certbot delete --cert-name you.cn

參考的網址有

• https://sanonz.github.io/2017...'s-encrypt-free-ssl-https/
• https://www.jianshu.com/p/c5c...
• https://segmentfault.com/a/11...
• https://www.jianshu.com/p/e32...
• https://segmentfault.com/a/11...
• https://segmentfault.com/a/11...
• https://wp.wt629.com/archives...
• https://www.yiichina.com/tuto...