ubuntu+let's encrypt生成永久免费https证书 ubuntu+tomcat+nginx+let's encrypt

1. 下载let's encrypt

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot 

2. 生成密钥,调用之前需要停止nginx

certbot certonly --standalone -d www.域名1.com -d www.域名2.com

  生成成功,提示如下

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/【这里是你的域名文件夹路径】/fullchain.pem. Your cert will
   expire on 【这里是到期时间】. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3. 配置nginx

server{
	client_max_body_size     50m;
	server_name  【这里是你的域名】;
	listen 443 ssl;
	ssl_certificate /etc/letsencrypt/live/【这里是你的域名证书文件夹名】/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/【这里是你的域名证书文件夹名】/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
	listen [::]:443 ssl ipv6only=on;
	
	location ^~  /xxx {
                proxy_connect_timeout 500s;
                proxy_read_timeout 500s;
                proxy_send_timeout 500s;
                proxy_pass   http://127.0.0.1:8080/xxx/;
                proxy_set_header  Host            $host;
                proxy_set_header  X-Real-IP        $remote_addr;
                proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        }
}

4. 重启nginx

nginx -s reload

5. 重定向http访问到https

server {
        listen 80;
        server_name 【这里是你的域名】;
        rewrite ^(.*) https://$server_name$1 permanent;
}

6.强制刷新续约

#先停止nginx
1、service nginx stop

#强制刷新证书续约、因为此证书只有90天有效期,需要在到期前执行续约
2、certbot renew --force-renew
#出现提示中包含这句,就说明已经成功了  Congratulations, all renewals succeeded. The following certs have been renewed:

#启动nginx
3、service nginx start

  

 也可以一步到位执行:

         certbot renew --quiet --renew-hook "/etc/init.d/nginx reload":不打印日志,日志查看/var/log/letsencrypt/letsencrypt.log

         certbot renew --renew-hook "/etc/init.d/nginx reload"  :控制台打印日志

 

7、自动续约、可以利用linux自带的cron来定时执行刷新脚本,这样这个证书就是永久有效的了

 

crontab -e #编辑crontab列表  

#每天的23点59分执行
59 23 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"

crontab -l #查看crontab列表   

service cron restart #重启定时任务,让任务生效

 

posted @ 2017-09-27 11:47  Binz  阅读(604)  评论(0编辑  收藏  举报