通过Certbot免费申请https证书(Let’s Encrypt)

如果你的网站需要免费的HTTPS证书,教你通过Certbot申请Let’s Encrypt的免费HTTPS证书。

Certbot 的官方网站是 https://certbot.eff.org/

第一步:申请证书,获取certbot

cd /root

wget https://dl.eff.org/certbot-auto

chmod a+x certbot-auto

停止
service httpd stop

生成证书,使用-d追加多个域名
./certbot-auto certonly --standalone --email onexin@qq.com --agree-tos -d onexin.net -d www.onexin.net

查看生成的证书
ls /etc/letsencrypt/live/

第二步:配置证书,在Nginx
#——————-Nginx————————–

listen 443 ssl http2;

ssl_certificate /etc/letsencrypt/live/onexin.net/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/onexin.net/privkey.pem;

ssl_session_timeout 10m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers ECDHE-SHA384:ECDHE-RSA-:ECDHE:!DES:!3DES:!MD5:!DSS:!PKS;

ssl_session_cache builtin:1000 shared:SSL:10m;

#——————-Nginx————————–

在Apache配置证书,最后面加
#——————-Apache————————–

<VirtualHost *:443>

DocumentRoot /home/wwwroot/www.onexin.net

ServerName www.onexin.net:443

ServerAdmin admin@onexin.net

ErrorLog "/home/wwwlogs/www.onexin.net-error_log"

CustomLog "/home/wwwlogs/www.onexin.net-access_log" common

SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/www.onexin.net/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/www.onexin.net/privkey.pem

<Directory "/home/wwwroot/www.onexin.net">

SetOutputFilter DEFLATE

Options FollowSymLinks

AllowOverride All

Order allow,deny

Allow from all

DirectoryIndex index.html index.php

</Directory>

</VirtualHost>

#——————-Apache————————–

第三步:更新证书,启动Apache
service httpd start

编写更新脚本renew-cert.sh
################################################

#!/bin/bash

service httpd stop

# --force-renew
/root/certbot-auto renew --force-renew

service httpd start

# end

################################################
chmod a+x renew-cert.sh

自动更新https证书的计划任务

# crontab -e

//每月20号自动更新一次证书

0 0 20 * * /root/renew-cert.sh >> /root/crontab.log 2>&1

到此结束,按esc,输入:wq 并退出。

//——————————————————————-
检查ssl安全:
https://myssl.com/

 

安装中必须关闭443端口:
Problem binding to port 443: Could not bind to IPv4 or IPv6.

[root@iZuf6i4mxt5qb468fga1uaZ ~]#

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6

DeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Obtaining a new certificate

/root/.local/share/letsencrypt/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.

signer = key.signer(self.padding, self.hash)

Performing the following challenges:

tls-sni-01 challenge for five.onexin.com

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/five.onexin.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/five.onexin.com/privkey.pem
Your cert will expire on 2017-11-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

随机文章:

1、mod_expires安装和配置 提高网站速率
https://www.onexin.net/mod_expires%e5%ae%89%e8%a3%85%e5%92%8c%e9%85%8d%e7%bd%ae-%e6%8f%90%e9%ab%98%e7%bd%91%e7%ab%99%e9%80%9f%e7%8e%87/

2、Apache rewrite 详解
https://www.onexin.net/apache-rewrite-detailed/

3、26个有用的jQuery的提示,技巧及解决方案
https://www.onexin.net/26-jquery-useful-tips-techniques-and-solutions/

4、中秋节快乐!
https://www.onexin.net/happy-moon-festival/

5、免费开源PHP商城系统介绍
https://www.onexin.net/free-open-source-php-mall-system-introduction/

转载请注明出处:https://www.onexin.net/certbothttpslets-encrypt/

Leave a Reply

Your email address will not be published. Required fields are marked *