使用Let's Encrypt + Nginx生成免费HTTPS证书
Let’s Encrypt简介
官网:https://letsencrypt.org/
Let’s Encrypt作为一个公共且免费SSL的项目逐渐被广大用户传播和使用,是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起,主要的目的也是为了推进网站从HTTP向HTTPS过度的进程,目前已经有越来越多的商家加入和赞助支持。
certbot简介
官方客户端 CertbotCertBot提供了很多命令来管理证书的获取,更新,与撤销,详情可参阅官网。
操作步骤
1.克隆certbot仓库
sudo git clone
https://github.com/certbot/certbot/opt/letsencrypt/opt/letsencrypt/letsencrypt-auto
2. Nginx server配置域名验证
location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /opt/JAVA1024/CERT; } location = /.well-known/acme-challenge/ { return 404; }
3.使用certbot生成证书
export DOMAINS="java1024.club,m.java1024.club"export DIR=/opt/JAVA1024/CERT /opt/letsencrypt/letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR -d $DOMAINS
4.使用证书, Nginx server配置
listen 443;#let's encrypt ssl_certificate /etc/letsencrypt/live/java1024.club/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/java1024.club/privkey.pem;
5.创建自动检查更新脚本,并加入crontab
crontab 是用来定期检查证书有效期。
#!/bin/sh# This script renews all the Let's Encrypt certificates with a validity < 30 days if ! /opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then echo Automated renewal failed: cat /var/log/letsencrypt/renew.log exit 1fi nginx -t && nginx -s reload
加入定时任务
sudo crontab -e
@daily /mnt/crontab_scrpit/renew_certs.sh
6.更改域名信息
export DOMAINS="java1024.club,m.java1024.club,java1024.com" export DIR=/opt/JAVA1024/CERT /opt/letsencrypt/letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR -d $DOMAINS
7. 重启服务器
nginx -s reload
访问域名,效果展示: