[TOC]

Let’s Encrypt申请证书

描述:服务器CentOS7.x,Nignx,Let’s Encrypt做免费的HTTPS证书。
Let’s Encrypt官网: https://letsencrypt.org/
操作流程:

1
2
3
4
5
6
7
8
9
#流程
$ git clone https://github.com/letsencrypt/letsencrypt.git
$ cd letsencrypt 
$ sudo ./letsencrypt-auto certonly

#根据该向导选用standalone模式填写自己的邮箱域名等等
/etc/letsencrypt/live/mydomain
# privkey.pem
# fullchain.pem

修改配置nginx文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.linuxidc.com;
root /usr/share/nginx/html;

ssl_certificate "/etc/letsencrypt/live/www.linuxidc.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/www.linuxidc.com/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
}

#实现http转换到https中,颁发的证书右击页面->检查->security->View certificate 证书的有效期是3个月
server {
listen 80;
server_name www.linuxidc.com;
return 301 https://$host$request_uri;
}

实现定时更新证书我们可以用linux自带的定时器crontab:

1
2
3
$ crontab -e
30 2 1 * * /usr/bin/certbot renew >> /var/log/le-renew.log
35 2 1 * * /usr/bin/systemctl reload nginx