Nginx安装Let’s Encrypt免费SSL证书

来自linux中国网wiki
跳到导航 跳到搜索

 

debian 10 201911

Install Certbot september 2022

sudo apt-get install certbot python3-certbot-nginx #python-certbot-nginx


just get a certificate


#Note  这些域名你得先作个A  不然 生成不了 Sep 2022
#注意 这个不是泛域名的呢  我要 wiki 其它有空再搞 
# sudo certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: linuxchina.net
2: blog.linuxchina.net
3: wiki.linuxchina.net
4: www.linuxchina.net
5: linuxsa.org
6: www.linuxsa.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for linuxchina.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/linuxchina.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/linuxchina.net/privkey.pem
   Your cert will expire on 2020-02-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


automatic renewal

  sudo certbot renew --dry-run


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/wiki.linuxchina.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/linuxchina.net/fullchain.pem (success)
  /etc/letsencrypt/live/wiki.linuxchina.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

see also

https://certbot.eff.org/lets-encrypt/debianbuster-nginx

2018

第零

这里最了的办法了,不用再去理其它了,昨天就看了别的 搞了半天s呀 20170627

今天用了另外一个方法 20170125

pkg install py27-certbot

certbot certonly --standalone -d wiki.linuxchina.net  -d blog.linuxchina.net 

自动更新证书

#!/bin/sh
service nginx stop  && certbot renew && service nginx start

#这个是别人的写法 也是不错 
echo '0 3 * */2 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"' >certbot-auto-renew-cron
crontab certbot-auto-renew-cron

说明 --pre-hook 这个参数表示执行更新操作之前要做的事情,因为我有 --standalone 模式的证书,所以需要 停止 nginx 服务,解除端口占用。 --post-hook 这个参数表示执行更新操作完成后要做的事情,这里就恢复 nginx 服务的启用

https://certbot.eff.org/#freebsd-nginx https://my.oschina.net/u/2328699/blog/829503

第一

单域名

 
#这是老办法了
 git clone https://github.com/letsencrypt/letsencrypt
 cd letsencrypt
 ./letsencrypt-auto certonly --standalone --email [email protected] -d linuxchina.net  -d www.linuxchina.net  --debug 

泛域名

#泛域名 注xxx.com请根据自己的域名自行更改  要续期的话,执行certbot-auto renew就可以了
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory  --email [email protected] -d "*.linuxchina.net" --manual --preferred-challenges dns-01 certonly
 

泛域名申请参考

申请Let's Encrypt通配符HTTPS证书

Let's Encrypt 泛域名证书申请及配置

Let's Encrypt 泛域名证书签发成功啦

Let's Encrypt 使用教程,免费的SSL证书

使用acme.sh脚本申请Let’s Encrypt 泛域名SSL证书

第二、Let’s Encrypt免费SSL证书获取与应用

在完成Let’s Encrypt证书的生成之后,我们会在”/etc/letsencrypt/live/yourdomain/”域名目录下有4个文件就是生成的密钥证书文件。<br/> cert.pem – Apache服务器端证书<br/> chain.pem – Apache根证书和中继证书
#我们重点的是关注这个 
fullchain.pem – Nginx所需要ssl_certificate文件
privkey.pem – 安全证书KEY文件

ssl_certificate /etc/letsencrypt/live/linuxchina.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/linuxchina.net/privkey.pem;

 #90天后自动更新 好像不行,有交互界面的 
 * * */90 * * /data/mon/autossl

 详细的nginx https配置文件
 #4 blog 
    server {
        listen       80;
       # listen [::]:80 ipv6only=on default_server;
        listen 443 default ssl;
       #listen [::]:80;
       #ssl on;
        ssl_certificate /etc/letsencrypt/live/linuxchina.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/linuxchina.net/privkey.pem;

       server_name  linuxchina.net www.linuxchina.net;

 #by evan
    if ($scheme = http) {
           return 301 https://$server_name$request_uri;
    } 
 #by evan
    #    server_name  blog.linuxchina.net;
        charset utf-8;
          root /data/www/evan;
        index index.php index.html index.htm;

注意:
ssl on 不要打开 ,不然会400

重新更新key  现在可以用更加简单的了 ,见文章最前面
 #/bin/sh 
 cd /data/www/ssl/letsencrypt
 #git clone https://github.com/letsencrypt/letsencrypt
 ./letsencrypt-auto certonly --renew-by-default --email [email protected]  -d linuxchina.net  -d www.linuxchina.net --debug

trouble shooting

IMPORTANT NOTES:<br/>  - Congratulations! Your certificate and chain have been saved at<br/>    /etc/letsencrypt/live/linuxchina.net-0001/fullchain.pem. Your cert<br/>    will expire on 2017-03-13. To obtain a new or tweaked version of<br/>    this certificate in the future, simply run letsencrypt-auto again.<br/>    To non-interactively renew *all* of your certificates, run<br/>    "letsencrypt-auto renew"<br/>  - If you like Certbot, please consider supporting our work by:

 ssl_certificate /etc/letsencrypt/live/linuxchina.net-0001/<br/>  ssl_certificate_key /etc/letsencrypt/live/linuxchina.net-0001/ fullchain.pem ;  

删除原来的再把新生成的复制到原来的位置<br/> cp /etc/letsencrypt/live/linuxchina.net-0001/privkey.pem .<br/> cp /etc/letsencrypt/live/linuxchina.net-0001/fullchain.pem .<br/>  


参考

相关参考文档

这个官方的教程比较好 其实
https://certbot.eff.org/#freebsd-nginx

安装文档 
https://github.com/certbot/certbot

http://stackoverflow.com/questions/8768946/dealing-with-nginx-400-the-plain-http-request-was-sent-to-https-port-error

实战申请Let’s Encrypt永久免费SSL证书过程教程及常见问题
http://www.laozuo.org/7676.html

Let’s Encrypt SSL证书配置
http://www.jianshu.com/p/eaac0d082ba2#

申请Let's Encrypt通配符HTTPS证书