使用Let's Encrypt客户端免费申请SSL证书

发表于 | 更新于 | 分类于

Mozilla、思科、Akamai、IdenTrust、EFF 和密歇根大学研究人员联合宣布Let’s Encrypt CA 项 目,计划为网站提供免费的基本 SSL 证书,以加速互联网从 HTTP 向 HTTPS 过渡。Let’s Encrypt CA 将由非赢利组织 Internet Security Research Group (ISRG) 运营
https://letsencrypt.org/
https://github.com/certbot/certbot

官方帮助链接:https://certbot.eff.org/#centosrhel7-nginx

1.依赖环境,安装python2.7和git工具。

wget https://www.python.org/ftp/python/2.7.12/Python-2.7.12.tgz
tar zxf Python-2.7.12.tgz
cd Python-2.7.12
./configure
make && make install

#把系统python命令指到新版本
which python
/usr/local/bin/python
rm /usr/local/bin/python
ln -s /usr/local/bin/python2.7 /usr/local/bin/python

yum -y install git
2.下载letsencrypt工具 
git clone https://github.com/letsencrypt/letsencrypt.git 

cd letsencrypt

./letsencrypt-auto --help  #查看帮助

./letsencrypt-auto certonly --manual #配置过程会需要域名邮箱和域名,以及追踪你的IP

./letsencrypt-auto certonly --standalone --email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d blog.wanggaoli.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/wgli.vip/fullchain.pem. Your cert will
   expire on 2016-08-09\. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
[root@wanggaoli letsencrypt]# ll /etc/letsencrypt/live/wgli.vip/
total 0
lrwxrwxrwx 1 root root 32 Aug  9 16:55 cert.pem -> ../../archive/wgli.vip/cert3.pem
lrwxrwxrwx 1 root root 33 Aug  9 16:55 chain.pem -> ../../archive/wgli.vip/chain3.pem
lrwxrwxrwx 1 root root 37 Aug  9 16:55 fullchain.pem -> ../../archive/wgli.vip/fullchain3.pem
lrwxrwxrwx 1 root root 35 Aug  9 16:55 privkey.pem -> ../../archive/wgli.vip/privkey3.pem

cd /data/www
mkdir -p .well-known/acme-challenge
echo b96bGjwilROF4phGcqRDUtuLIcemhfvQD49z110KY3k.g1YHIALGIOmxuLkDWgza3AQt4_tKofpCBgg8ujSHBH8 > .well-known/acme-challenge/b96bGjwilROF4phGcqRDUtuLIcemhfvQD49z110KY3k
可以使用curl测试一下
若正常,按回车。(如果还没装web服务器的话可以按照提示执行#run only once per server下面的命令)
(注意此段echo内容根据实际情况填写,每个域名反馈内容不一样,文件名也不一样)

Nginx:
ssl_certificate /etc/letsencrypt/live/wgli.vip/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wgli.vip/privkey.pem;
3.证书续期 最后要说的是续期,因为证书只有90天,所以建议85左右的时候进行一次续期,续期很简单可以交给crontab进行完成,执行: 
0 0 */85 * * /usr/local/nginx/conf/ss/letsencrypt-auto certonly --renew-by-default --email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d blog.wanggaoli.com &> /data/wwwlogs/let.log

yum -y install letsencrypt
letsencrypt certonly –manual –email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d zabbix.wanggaoli.com -d jumpserver.wanggaoli.com
0 0 */85 * * letsencrypt certonly –renew-by-default –email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d zabbix.wanggaoli.com -d jumpserver.wanggaoli.com && nginx -t && nginx -s reload

curl https://get.acme.sh | sh
source ~/.bashrc
export Ali_Key='123456'
export Ali_Secret='123456'
acme.sh --issue --dns dns_ali --force -d 'wanggaoli.com' -d '*.wanggaoli.com'
acme.sh --renew -d 'wanggaoli.com' --force
-------------本文结束感谢您的阅读-------------