ubuntu+let's encrypt生成永久免费https证书 ubuntu+tomcat+nginx+let's encrypt
1. 下载let's encrypt
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot
2. 生成密钥,调用之前需要停止nginx
certbot certonly --standalone -d www.域名1.com -d www.域名2.com
生成成功,提示如下
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/【这里是你的域名文件夹路径】/fullchain.pem. Your cert will expire on 【这里是到期时间】. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
3. 配置nginx
server{ client_max_body_size 50m; server_name 【这里是你的域名】; listen 443 ssl; ssl_certificate /etc/letsencrypt/live/【这里是你的域名证书文件夹名】/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/【这里是你的域名证书文件夹名】/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; listen [::]:443 ssl ipv6only=on; location ^~ /xxx { proxy_connect_timeout 500s; proxy_read_timeout 500s; proxy_send_timeout 500s; proxy_pass http://127.0.0.1:8080/xxx/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
4. 重启nginx
nginx -s reload
5. 重定向http访问到https
server { listen 80; server_name 【这里是你的域名】; rewrite ^(.*) https://$server_name$1 permanent; }
6.强制刷新续约
#先停止nginx 1、service nginx stop #强制刷新证书续约、因为此证书只有90天有效期,需要在到期前执行续约 2、certbot renew --force-renew #出现提示中包含这句,就说明已经成功了 Congratulations, all renewals succeeded. The following certs have been renewed: #启动nginx 3、service nginx start
也可以一步到位执行:
certbot renew --quiet --renew-hook "/etc/init.d/nginx reload":不打印日志,日志查看/var/log/letsencrypt/letsencrypt.log
certbot renew --renew-hook "/etc/init.d/nginx reload" :控制台打印日志
7、自动续约、可以利用linux自带的cron来定时执行刷新脚本,这样这个证书就是永久有效的了
crontab -e #编辑crontab列表 #每天的23点59分执行 59 23 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload" crontab -l #查看crontab列表 service cron restart #重启定时任务,让任务生效