Mozilla、思科、Akamai、IdenTrust、EFF 和密歇根大学研究人员联合宣布Let’s Encrypt CA 项 目,计划为网站提供免费的基本 SSL 证书,以加速互联网从 HTTP 向 HTTPS 过渡。Let’s Encrypt CA 将由非赢利组织 Internet Security Research Group (ISRG) 运营
https://letsencrypt.org/
https://github.com/certbot/certbot

官方帮助链接:https://certbot.eff.org/#centosrhel7-nginx

1.依赖环境,安装python2.7和git工具。

wget https://www.python.org/ftp/python/2.7.12/Python-2.7.12.tgztar zxf Python-2.7.12.tgzcd Python-2.7.12./configuremake && make install#把系统python命令指到新版本which python/usr/local/bin/pythonrm /usr/local/bin/pythonln -s /usr/local/bin/python2.7 /usr/local/bin/pythonyum -y install git

2.下载letsencrypt工具

git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt./letsencrypt-auto --help  #查看帮助./letsencrypt-auto certonly --manual #配置过程会需要域名邮箱和域名,以及追踪你的IP./letsencrypt-auto certonly --standalone --email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d blog.wanggaoli.com
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at   /etc/letsencrypt/live/wgli.vip/fullchain.pem. Your cert will   expire on 2016-08-09\. To obtain a new version of the certificate in   the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le
[root@wanggaoli letsencrypt]# ll /etc/letsencrypt/live/wgli.vip/total 0lrwxrwxrwx 1 root root 32 Aug  9 16:55 cert.pem -> ../../archive/wgli.vip/cert3.pemlrwxrwxrwx 1 root root 33 Aug  9 16:55 chain.pem -> ../../archive/wgli.vip/chain3.pemlrwxrwxrwx 1 root root 37 Aug  9 16:55 fullchain.pem -> ../../archive/wgli.vip/fullchain3.pemlrwxrwxrwx 1 root root 35 Aug  9 16:55 privkey.pem -> ../../archive/wgli.vip/privkey3.pemcd /data/wwwmkdir -p .well-known/acme-challengeecho b96bGjwilROF4phGcqRDUtuLIcemhfvQD49z110KY3k.g1YHIALGIOmxuLkDWgza3AQt4_tKofpCBgg8ujSHBH8 > .well-known/acme-challenge/b96bGjwilROF4phGcqRDUtuLIcemhfvQD49z110KY3k可以使用curl测试一下若正常,按回车。(如果还没装web服务器的话可以按照提示执行#run only once per server下面的命令)(注意此段echo内容根据实际情况填写,每个域名反馈内容不一样,文件名也不一样)Nginx:ssl_certificate /etc/letsencrypt/live/wgli.vip/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/wgli.vip/privkey.pem;

3.证书续期最后要说的是续期,因为证书只有90天,所以建议85左右的时候进行一次续期,续期很简单可以交给crontab进行完成,执行:

0 0 */85 * * /usr/local/nginx/conf/ss/letsencrypt-auto certonly --renew-by-default --email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d blog.wanggaoli.com &> /data/wwwlogs/let.log

yum -y install letsencrypt
letsencrypt certonly –manual –email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d zabbix.wanggaoli.com -d jumpserver.wanggaoli.com
0 0 */85 * * letsencrypt certonly –renew-by-default –email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d zabbix.wanggaoli.com -d jumpserver.wanggaoli.com && nginx -t && nginx -s reload

curl https://get.acme.sh | shsource ~/.bashrcexport Ali_Key='123456'export Ali_Secret='123456'acme.sh --issue --dns dns_ali --force -d 'wanggaoli.com' -d '*.wanggaoli.com'acme.sh --renew -d 'wanggaoli.com' --force