Nginx安装Let’s Encrypt免费SSL证书
目录
debian 10 201911
Install Certbot september 2022
sudo apt-get install certbot python3-certbot-nginx #python-certbot-nginx
just get a certificate 2022
#Note 这些域名你得先作个A 不然 生成不了 Sep 2022 #注意 这个不是泛域名的呢 我要 wiki 其它有空再搞 # sudo certbot certonly --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: linuxchina.net 2: blog.linuxchina.net 3: wiki.linuxchina.net 4: www.linuxchina.net 5: linuxsa.org 6: www.linuxsa.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for linuxchina.net Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/linuxchina.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/linuxchina.net/privkey.pem Your cert will expire on 2020-02-29. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
automatic renewal
sudo certbot renew --dry-run new certificate deployed with reload of nginx server; fullchain is /etc/letsencrypt/live/wiki.linuxchina.net/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/linuxchina.net/fullchain.pem (success) /etc/letsencrypt/live/wiki.linuxchina.net/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
see also
https://certbot.eff.org/lets-encrypt/debianbuster-nginx
2018
第零
这里最了的办法了,不用再去理其它了,昨天就看了别的 搞了半天s呀 20170627
今天用了另外一个方法 20170125
pkg install py27-certbot certbot certonly --standalone -d wiki.linuxchina.net -d blog.linuxchina.net
自动更新证书
#!/bin/sh service nginx stop && certbot renew && service nginx start #这个是别人的写法 也是不错 echo '0 3 * */2 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"' >certbot-auto-renew-cron crontab certbot-auto-renew-cron
说明 --pre-hook 这个参数表示执行更新操作之前要做的事情,因为我有 --standalone 模式的证书,所以需要 停止 nginx 服务,解除端口占用。 --post-hook 这个参数表示执行更新操作完成后要做的事情,这里就恢复 nginx 服务的启用
https://certbot.eff.org/#freebsd-nginx https://my.oschina.net/u/2328699/blog/829503
第一
单域名
#这是老办法了 git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly --standalone --email [email protected] -d linuxchina.net -d www.linuxchina.net --debug
泛域名
#泛域名 注xxx.com请根据自己的域名自行更改 要续期的话,执行certbot-auto renew就可以了 ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory --email [email protected] -d "*.linuxchina.net" --manual --preferred-challenges dns-01 certonly
泛域名申请参考
使用acme.sh脚本申请Let’s Encrypt 泛域名SSL证书
第二、Let’s Encrypt免费SSL证书获取与应用
在完成Let’s Encrypt证书的生成之后,我们会在”/etc/letsencrypt/live/yourdomain/”域名目录下有4个文件就是生成的密钥证书文件。<br/> cert.pem – Apache服务器端证书<br/> chain.pem – Apache根证书和中继证书 #我们重点的是关注这个 fullchain.pem – Nginx所需要ssl_certificate文件 privkey.pem – 安全证书KEY文件 ssl_certificate /etc/letsencrypt/live/linuxchina.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/linuxchina.net/privkey.pem; #90天后自动更新 好像不行,有交互界面的 * * */90 * * /data/mon/autossl 详细的nginx https配置文件 #4 blog server { listen 80; # listen [::]:80 ipv6only=on default_server; listen 443 default ssl; #listen [::]:80; #ssl on; ssl_certificate /etc/letsencrypt/live/linuxchina.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/linuxchina.net/privkey.pem; server_name linuxchina.net www.linuxchina.net; #by evan if ($scheme = http) { return 301 https://$server_name$request_uri; } #by evan # server_name blog.linuxchina.net; charset utf-8; root /data/www/evan; index index.php index.html index.htm; 注意: ssl on 不要打开 ,不然会400 重新更新key 现在可以用更加简单的了 ,见文章最前面 #/bin/sh cd /data/www/ssl/letsencrypt #git clone https://github.com/letsencrypt/letsencrypt ./letsencrypt-auto certonly --renew-by-default --email [email protected] -d linuxchina.net -d www.linuxchina.net --debug
trouble shooting
IMPORTANT NOTES:<br/> - Congratulations! Your certificate and chain have been saved at<br/> /etc/letsencrypt/live/linuxchina.net-0001/fullchain.pem. Your cert<br/> will expire on 2017-03-13. To obtain a new or tweaked version of<br/> this certificate in the future, simply run letsencrypt-auto again.<br/> To non-interactively renew *all* of your certificates, run<br/> "letsencrypt-auto renew"<br/> - If you like Certbot, please consider supporting our work by: ssl_certificate /etc/letsencrypt/live/linuxchina.net-0001/<br/> ssl_certificate_key /etc/letsencrypt/live/linuxchina.net-0001/ fullchain.pem ; 删除原来的再把新生成的复制到原来的位置<br/> cp /etc/letsencrypt/live/linuxchina.net-0001/privkey.pem .<br/> cp /etc/letsencrypt/live/linuxchina.net-0001/fullchain.pem .<br/>
参考
相关参考文档
这个官方的教程比较好 其实
https://certbot.eff.org/#freebsd-nginx
安装文档
https://github.com/certbot/certbot
实战申请Let’s Encrypt永久免费SSL证书过程教程及常见问题
http://www.laozuo.org/7676.html
Let’s Encrypt SSL证书配置
http://www.jianshu.com/p/eaac0d082ba2#