Let’s Encrypt 提供免费的SSL证书,证书有效期最长90天,可以多次连续申请,申请方便。基于ACME协议验证用户对域名有使用权。可以使用FTP、WEB、DNS三种方式来验证域名的有效性。在线手动申请可参考https://www.sslforfree.com/
现在可以申请通配符域名证书 http://www.infoq.com/cn/news/2018/03/lets-encrypt-wildcard-https
官方入门 https://letsencrypt.org/getting-started/
以下是通过WEB方式验证域名有效性,以nginx为例,如果是tomcat,生成的证书文件还需要进行格式转换(方法见 https://blog.kyletang.work/2018/05/10/pem2jks/)
准备条件:
- 有一个域名,比如 9px.in
- 解析到ip,比如 9px.in -> 45.32.53.16
- 配置一个web服务,需要80端口(WEB验证必须为80端口),比如nginx,注意,国内申请的域名和ip,需要先进行ICP备案后才能访问80端口
server
{
listen 80;
server_name 9px.in;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/9px.in;
#include none.conf;
#error_page 404 /404.html;
#include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
#location ~ /\.
#{
# deny all;
#}
access_log off;
}
开始操作:
- 安装Let’s Encrypt工具,从这里下载 https://certbot.eff.org/
- 执行
letsencrypt-auto
命令生成证书(certbot提供了更方便的方式,比如nginx on RHEL6 https://certbot.eff.org/lets-encrypt/centosrhel6-nginx,这里使用基础的命令)cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in
命令执行的日志如下:提示
Congratulations
表示成功了。Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for 9px.in Using the webroot path /home/wwwroot/9px.in for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/9px.in/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/9px.in/privkey.pem Your cert will expire on 2018-08-07. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
- 修改配置,增加SSL配置信息
server { listen 8000; listen 80; server_name 9px.in; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/9px.in; ##--SSL配置-start------------------------ ssl on; ssl_certificate /etc/letsencrypt/live/9px.in/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/9px.in/privkey.pem; ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2 ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver $DNS-IP-1 $DNS-IP-2 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; ##--SSL配置-end------------------------- #include none.conf; #error_page 404 /404.html; include enable-php.conf; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } #location ~ /\. #{ # deny all; #} access_log off; }
- 重载nginx配置
#lnmp服务 lnmp nginx reload
- 大功告成
配置定时任务每月自动生成:
- 设置定时任务,新建脚本
renew-certs.sh,生成证书并重载nginx配置
#!/bin/bash cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in lnmp nginx reload
增加crontab每月1日凌晨3点执行
renew-certs.sh脚本
,crontab -e0 3 1 * * /root/renew-certs.sh > /root/renew-certs.log 2>&1
- 执行脚本进行测试
/root/renew-certs.sh > /root/renew-certs.log 2>&1
免费证书Let’s Encrypt官网:https://letsencrypt.org/
Let’s Encrypt官方的certbot工具:https://certbot.eff.org/
强壮的SSL配置推荐:https://cipherli.st/
近期评论