實驗環境:CentOS Linux release 7.2
內核版本:Linux version 3.10.0-514.26.2.el7.x86_64
Nginx版本: Nginx-1.13.0nginx
Let’s Encrypt是一個免費的、自動化、開放的證書頒發機構。由Mozilla、Cisco、Chrome、facebook、Akamai等衆多公司和機構發起的,其安全穩定及其可靠。具體信息能夠去letsencrypt官方網站了解詳情。git
今天咱們就充分利用Lets Encrypt讓你的網站實現https加密。web
官網:https://letsencrypt.org/api
1.安裝certbot及源擴展包安全
$ yum install -y epel-release
Certbot是Let’s Encrypt官方指定推薦的客戶端。經過 Certbot,你能夠自動化部署 Let’s Encrypt SSL證書,以便爲網站加上HTTPS加密支持。服務器
$ yum install certbot $ certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? //你是但願如何使用ACME CA進行身份驗證? ------------------------------------------------------------------------------- 1: Place files in webroot directory (webroot) //將文件放在webroot目錄 2: Spin up a temporary webserver (standalone) //使用臨時Web服務器(獨立目錄) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):1 【選擇1回車】 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):su@renwole.com【輸入您的郵箱地址,用於緊急更新和安全通知】 Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A【選擇A回車贊成服務條款,C爲拒絕】 ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:Y【您是否願意分享您的電子郵件地址,建議選擇Y回車】 Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): blog.renwole.com【輸入域名回車】 Obtaining a new certificate Performing the following challenges: http-01 challenge for blog.renwole.com Select the webroot for blog.renwole.com: ------------------------------------------------------------------------------- 1: Enter a new webroot //輸入網站絕對路徑 ------------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel):1【選擇數字1回車】 Input the webroot for blog.renwole.com: (Enter 'c' to cancel):/home/www/blog.renwole.com【輸入網站所在絕對路徑回車】 Waiting for verification... Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/blog.renwole.com/fullchain.pem. Your cert will expire on 2017-08-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF:
恭喜!您的SSL證書和密鑰連接已保存,你的證書將於2017-08-09到期。app
注意:這裏須要說明,在生成證書以前,你必須保證nginx 443端口是運行狀態,不然會生成證書失敗。dom
若安裝時遇到:Problem binding to port 80: Could not bind to IPv4 or IPv6.錯誤,則請關閉nginx服務再安裝。ide
自動續簽證書:post
給系統添加個定時任務執行續簽:
30 1 * * 1 /usr/bin/certbot renew >> /data0/certbot_renew_log/certbot_renew.log
每週一凌晨1點半執行證書更新