免费SSL安全证书Let's Encrypt安装使用及Nginx配置

letsencrypt.png
Let's Encrypt CA 项目由非赢利组织 Internet Security Research Group (ISRG) 运营,由Mozilla、思科、Akamai、IdenTrust、EFF 和密歇根大学等组织发起,向网站自动签发和管理免费SSL证书,以加速互联网从 HTTP 向 HTTPS 过渡。

Let's Encrypt 官方网站:https://letsencrypt.org/
Let's Encrypt 项目主页:https://github.com/letsencrypt/letsencrypt

1、安装Let's Encrypt脚本依赖环境

# CentOS 6
yum install centos-release-SCL && yum update
yum install python27
scl enable python27 bash
yum install python27-python-devel python27-python-setuptools python27-python-tools python27-python-virtualenv
yum install augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse

# CentOS 7
yum install -y git python27
yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse

2、获取Let's Encrypt并生成SSL证书

yum install git-core
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
./letsencrypt-auto certonly --email admin@2dan.cc -d www.2dan.cc --webroot -w /home/html --agree-tos

如果多个域名可以加多个-d 域名

生成证书后会有如下提示:

IMPORTANT NOTES:

    • If you lose your account credentials, you can recover through e-mails sent to admin@2dan.cc.
    • Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.2dan.cc/fullchain.pem. Your cert will expire
    1. 2016-06-01. To obtain a new version of the certificate in the

    future, simply run Let's Encrypt again.

    • Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a
    1. backup of this folder now. This configuration directory will

    also contain certificates and private keys obtained by Let's
    Encrypt so making regular backups of this folder is ideal.

    • If you like Let's Encrypt, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

    3、Nginx虚拟主机的设置

    listen 443 ssl;
    server_name www.2dan.cc;
    index index.html index.htm index.php default.html default.htm default.php;
    root /home/html;
    charset utf-8;
    ssl on;
    ssl_certificate      /etc/letsencrypt/live/www.2dan.cc/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/www.2dan.cc/privkey.pem;
    ssl_session_timeout  5m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    error_page 497 https://$host$uri; #http重定向到https 
    

    需将上述配置根据自己的实际情况修改后。

    然后执行:/etc/init.d/nginx reload 重新载入配置使其生效。

    如果需要HSTS,可以加上
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    4、证书续期
    因为证书只有90天,所以建议60左右的时候进行一次续期,续期很简单可以交给crontab进行完成,执行:

    cat >/root/renew-ssl.sh<<EOF
    #!/bin/bash
    mkdir -p /home/html/.well-known/acme-challenge
    /root/letsencrypt/letsencrypt-auto --renew-by-default certonly --email admin@2dan.cc -d www.2dan.cc --webroot -w /home/html --agree-tos
    /etc/init.d/nginx reload
    EOF
    chmod +x /root/renew-ssl.sh
    echo "0 3 */60 * * /root/renew-ssl.sh" >> /etc/crontab
    

    标签:Nginx, 安装, SSL, 证书

    添加新评论