通过Certbot免费申请https证书(Let’s Encrypt)

如果你的网站需要免费的HTTPS证书,教你通过Certbot申请Let’s Encrypt的免费HTTPS证书。

Certbot 的官方网站是 https://certbot.eff.org/

第一步:申请证书,获取certbot

cd /root

wget https://dl.eff.org/certbot-auto

chmod a+x certbot-auto

停止
service httpd stop

生成证书,使用-d追加多个域名

./certbot-auto certonly --standalone --email onexin@qq.com --agree-tos -d onexin.net -d www.onexin.net

查看生成的证书
ls /etc/letsencrypt/live/

第二步:配置证书,在Nginx
#——————-Nginx————————–

listen 443 ssl http2;

ssl_certificate /etc/letsencrypt/live/onexin.net/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/onexin.net/privkey.pem;

ssl_session_timeout 10m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers ECDHE-SHA384:ECDHE-RSA-:ECDHE:!DES:!3DES:!MD5:!DSS:!PKS;

ssl_session_cache builtin:1000 shared:SSL:10m;

#——————-Nginx————————–

在Apache配置证书,最后面加
#——————-Apache————————–

<VirtualHost *:443>

DocumentRoot /home/wwwroot/www.onexin.net

ServerName www.onexin.net:443

ServerAdmin admin@onexin.net

ErrorLog "/home/wwwlogs/www.onexin.net-error_log"

CustomLog "/home/wwwlogs/www.onexin.net-access_log" common

SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/www.onexin.net/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/www.onexin.net/privkey.pem

<Directory "/home/wwwroot/www.onexin.net">

SetOutputFilter DEFLATE

Options FollowSymLinks

AllowOverride All

Order allow,deny

Allow from all

DirectoryIndex index.html index.php

</Directory>

</VirtualHost>

#——————-Apache————————–

第三步:更新证书,启动Apache
service httpd start

编写更新脚本renew-cert.sh
################################################

#!/bin/bash

service httpd stop

# --force-renew
/root/certbot-auto renew --force-renew

service httpd start

# end

################################################
chmod a+x renew-cert.sh

自动更新https证书的计划任务

# crontab -e

//每月20号自动更新一次证书

0 0 20 * * /root/renew-cert.sh >> /root/crontab.log 2>&1

到此结束,按esc,输入:wq 并退出。

//——————————————————————-
检查ssl安全:
https://myssl.com/

 

安装中必须关闭443端口:
Problem binding to port 443: Could not bind to IPv4 or IPv6.

[root@iZuf6i4mxt5qb468fga1uaZ ~]#

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6

DeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Obtaining a new certificate

/root/.local/share/letsencrypt/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.

signer = key.signer(self.padding, self.hash)

Performing the following challenges:

tls-sni-01 challenge for five.onexin.com

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/five.onexin.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/five.onexin.com/privkey.pem
Your cert will expire on 2017-11-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

转载请注明出处:https://www.onexin.net/certbothttpslets-encrypt/

随机文章:

1、Discuz!X修复门户下载图片换行丢失BUG
https://www.onexin.net/discuzx-portal-downremoteimg-bug/

2、出生地增加第三级县市和第四级乡镇 for discuz!x 1.5
https://www.onexin.net/hometown-increase-in-third-level-and-fourth-class-county-town-for-discuz-x-1-5/

3、JavaScript开发工具15款
https://www.onexin.net/javascript-development-tools-15-models/

4、CentOS 5.3快速搭建Apache+PHP5+MySQL完美Web服务器(LAMP)
https://www.onexin.net/centos-5-3-quickly-build-the-perfect-apache-php5-mysql-web-server-lamp/

5、正则表达式+常用实例(入门篇)
https://www.onexin.net/regular-expression-common-instance-startup/

Leave a Reply