免费SSL安全证书Let's Encrypt安装使用及Nginx配置
Let's Encrypt CA 项目由非赢利组织 Internet Security Research Group (ISRG) 运营,由Mozilla、思科、Akamai、IdenTrust、EFF 和密歇根大学等组织发起,向网站自动签发和管理免费SSL证书,以加速互联网从 HTTP 向 HTTPS 过渡。
Let's Encrypt 官方网站:https://letsencrypt.org/
Let's Encrypt 项目主页:https://github.com/letsencrypt/letsencrypt
1、安装Let's Encrypt脚本依赖环境
# CentOS 6
yum install centos-release-SCL && yum update
yum install python27
scl enable python27 bash
yum install python27-python-devel python27-python-setuptools python27-python-tools python27-python-virtualenv
yum install augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse
# CentOS 7
yum install -y git python27
yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse
2、获取Let's Encrypt并生成SSL证书
yum install git-core
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
./letsencrypt-auto certonly --email [email protected] -d www.2dan.cc --webroot -w /home/html --agree-tos
如果多个域名可以加多个-d 域名
生成证书后会有如下提示:
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through e-mails sent to [email protected].
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.2dan.cc/fullchain.pem. Your cert will expire
on 2016-06-01. To obtain a new version of the certificate in the
future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3、Nginx虚拟主机的设置
listen 443 ssl;
server_name www.2dan.cc;
index index.html index.htm index.php default.html default.htm default.php;
root /home/html;
charset utf-8;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.2dan.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.2dan.cc/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
error_page 497 https://$host$uri; #http重定向到https
需将上述配置根据自己的实际情况修改后。
然后执行:/etc/init.d/nginx reload 重新载入配置使其生效。
如果需要HSTS,可以加上add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
4、证书续期
因为证书只有90天,所以建议60左右的时候进行一次续期,续期很简单可以交给crontab进行完成,执行:
cat >/root/renew-ssl.sh<<EOF
#!/bin/bash
mkdir -p /home/html/.well-known/acme-challenge
/root/letsencrypt/letsencrypt-auto --renew-by-default certonly --email [email protected] -d www.2dan.cc --webroot -w /home/html --agree-tos
/etc/init.d/nginx reload
EOF
chmod +x /root/renew-ssl.sh
echo "0 3 */60 * * /root/renew-ssl.sh" >> /etc/crontab