zhouinfo

申请Let's Encrypt永久免费SSL证书

发布 : 2019-05-07 分类 : 杂类 浏览 :

申请Let’s Encrypt的SSL证书为自己的网站加上https,目的就是为了在chrome的地址栏看到一个🔒 😂

2022-11-22 更新使用脚本快速获取ssl证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
//生成耗时很长 需要先执行
openssl dhparam -out dhparam.pem 4096

curl https://gitee.com/neilpang/acme.sh/raw/master/acme.sh | sh -s email=zhouinfo@qq.com
curl https://get.acme.sh | sh -s email=zhouinfo@qq.com
source ~/.bashrcY

export Ali_Key="LTAI4c9j"
export Ali_Secret="LrnOMf8iuJFvkr"

acme.sh --issue --dns dns_ali -d zhouinfo.site -d *.zhouinfo.site --debug

mkdir /etc/nginx/cert/zhouinfo.site
mv dhparam.pem /etc/nginx/cert/

acme.sh --install-cert -d zhouinfo.site --key-file /etc/nginx/cert/zhouinfo.site/zhouinfo.site.key --fullchain-file /etc/nginx/cert/zhouinfo.site/fullchain.cer --reloadcmd "systemctl force-reload nginx"


acme.sh --install-cert -d zhouinfo.site --key-file /etc/nginx/cert/zhouinfo.site/zhouinfo.site.key --fullchain-file /etc/nginx/cert/zhouinfo.site/fullchain.cer --reloadcmd "systemctl force-reload nginx"

acme.sh --install-cert -d gzpykj.com --key-file /etc/nginx/cert/gzpykj.com/gzpykj.com.key --fullchain-file /etc/nginx/cert/gzpykj.com/fullchain.cer --reloadcmd "systemctl force-reload nginx"

        ssl_certificate /etc/nginx/cert/zhouinfo.site/fullchain.cer;
        ssl_certificate_key /etc/nginx/cert/zhouinfo.site/zhouinfo.site.key;

        ssl_certificate /etc/nginx/cert/gzpykj.com/gzpykj.com.csr;
        ssl_certificate_key /etc/nginx/cert/gzpykj.com/gzpykj.com.key;

        /etc/nginx/cert/gzpykj.com/chain.pem
        /etc/nginx/cert/gzpykj.com/privkey.pem
        /etc/nginx/cert/gzpykj.com/fullchain.pem

vim /etc/nginx/nginx.conf
        ssl_certificate /etc/nginx/cert/zhouinfo.site/fullchain.cer;
        ssl_certificate_key /etc/nginx/cert/zhouinfo.site/zhouinfo.site.key;
        ssl_dhparam /etc/nginx/cert/dhparam.pem;

nginx -t
crontab  -l
acme.sh --info -d zhouinfo.site
acme.sh --upgrade --auto-upgrade

获取SSL证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#需要安装git

yum install git

#下载Let's Encrypt

这个不会报错
git clone https://github.com/certbot/certbot

这个运行时会报错...
git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

#测试运行 --dry-run 尝试运行 第一次运行需要安装依赖包 需要等一段时间
#安装号依赖包后已经进行尝试配置

./letsencrypt-auto certonly --preferred-challenges dns --manual -d zhouinfo.site -d *.zhouinfo.site --server https://acme-v02.api.letsencrypt.org/directory --dry-run

注意: -d zhouinfo.site -d *.zhouinfo.site 需要先主域名然后泛域名 因为泛域名不包含主域名

1 需要输入邮箱

1
2
3
4
5
6
7
#Creating virtual environment...
#Installing Python packages...
#Installation succeeded.
#Saving debug log to /var/log/letsencrypt/letsencrypt.log
#Plugins selected: Authenticator manual, Installer None
#Enter email address (used for urgent renewal and security notices) (Enter 'c' to
#cancel): zhouinfo@qq.com

2 同意协议

1
2
3
4
5
6
7
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

3 同意推送消息

1
2
3
4
5
6
7
8
9
10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zhouinfo.site

4 同意记录IP地址

1
2
3
4
5
6
7
#NOTE: The IP of this machine will be publicly logged as having requested this
#certificate. If you're running certbot in manual mode on a machine that is not
#your server, please ensure you're okay with that.
#
#Are you OK with your IP being logged?
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#(Y)es/(N)o: y

5 需要将 uoJqJ713dFrCK-cr1hiaE5bxWJcFyakRRPc0Yqggrfo 这条字符串加到dns域名解析中

1
2
3
4
5
6
7
8
9
#Please deploy a DNS TXT record under the name
#_acme-challenge.zhouinfo.site with the following value:
#
#uoJqJ713dFrCK-cr1hiaE5bxWJcFyakRRPc0Yqggrfo
#
#Before continuing, verify the record is deployed.
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#Press Enter to Continue

6 然后就可以获取到生成的密钥和公钥

1
2
3
4
5
6
7
8
9
10
11
12
13
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zhouinfo.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zhouinfo.site/privkey.pem
   Your cert will expire on 2019-08-05. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

nginx配置

1 需要生成/etc/nginx/ssl/dhparam.pem 文件

1
2
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#服务器的配置高可以设置到 4096

2 配置nginx.coif

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 需要将
server {
    listen       80;
    server_name  zhouinfo.site;
    return  301  https://$server_name$request_uri;
}
server {
	#如果不需要强制调整可以注销掉上面的server开启80 433 端口共存
	#listen       80;
    listen       443 ssl;
    server_name  zhouinfo.site;
    #生成证书的位置
    ssl_certificate /etc/letsencrypt/live/zhouinfo.site/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zhouinfo.site/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/zhouinfo.site/chain.pem;
    #刚才创建的文件
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    location /nhms {
        proxy_pass http://localhost:4000/nhms;
        proxy_redirect default;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

3 更新重启nginx

1
2
3
4
5
6
./nginx -t                   # 测试配置是否可行
./nginx -s reload            # 重新载入配置文件
./nginx -s reopen            # 重启 Nginx
./nginx -s stop              # 停止 Nginx

systemctl enable nginx       # 开机启动
本文作者 : zhouinfo
原文链接 : http://blog.zhouinfo.site/2019/05/07/%E7%94%B3%E8%AF%B7Let-s-Encrypt%E6%B0%B8%E4%B9%85%E5%85%8D%E8%B4%B9SSL%E8%AF%81%E4%B9%A6/
版权声明 : 本博客所有文章除特别声明外,均采用 CC Apache License 2.0 许可协议。转载请注明出处!
标签: #Linux #nginx #SSL
留下足迹