Mozilla、思科、Akamai、IdenTrust、EFF 和密歇根大学研究人员联合宣布了 Let’s Encrypt CA 项 目,计划为网站提供免费的基本 SSL 证书,以加速互联网从 HTTP 向 HTTPS 过渡。Let’s Encrypt CA 将由非赢利组织 Internet Security Research Group (ISRG) 运营
https://letsencrypt.org/
https://github.com/certbot/certbot
官方帮助链接:https://certbot.eff.org/#centosrhel7-nginx
1.依赖环境,安装python2.7和git工具。
wget https://www.python.org/ftp/python/2.7.12/Python-2.7.12.tgz tar zxf Python-2.7.12.tgz cd Python-2.7.12 ./configure make && make install #把系统python命令指到新版本 which python /usr/local/bin/python rm /usr/local/bin/python ln -s /usr/local/bin/python2.7 /usr/local/bin/python yum -y install git2.下载letsencrypt工具
git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt ./letsencrypt-auto --help #查看帮助 ./letsencrypt-auto certonly --manual #配置过程会需要域名邮箱和域名,以及追踪你的IP ./letsencrypt-auto certonly --standalone --email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d blog.wanggaoli.com
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/wgli.vip/fullchain.pem. Your cert will expire on 2016-08-09\. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
[root@wanggaoli letsencrypt]# ll /etc/letsencrypt/live/wgli.vip/ total 0 lrwxrwxrwx 1 root root 32 Aug 9 16:55 cert.pem -> ../../archive/wgli.vip/cert3.pem lrwxrwxrwx 1 root root 33 Aug 9 16:55 chain.pem -> ../../archive/wgli.vip/chain3.pem lrwxrwxrwx 1 root root 37 Aug 9 16:55 fullchain.pem -> ../../archive/wgli.vip/fullchain3.pem lrwxrwxrwx 1 root root 35 Aug 9 16:55 privkey.pem -> ../../archive/wgli.vip/privkey3.pem cd /data/www mkdir -p .well-known/acme-challenge echo b96bGjwilROF4phGcqRDUtuLIcemhfvQD49z110KY3k.g1YHIALGIOmxuLkDWgza3AQt4_tKofpCBgg8ujSHBH8 > .well-known/acme-challenge/b96bGjwilROF4phGcqRDUtuLIcemhfvQD49z110KY3k 可以使用curl测试一下 若正常,按回车。(如果还没装web服务器的话可以按照提示执行#run only once per server下面的命令) (注意此段echo内容根据实际情况填写,每个域名反馈内容不一样,文件名也不一样) Nginx: ssl_certificate /etc/letsencrypt/live/wgli.vip/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/wgli.vip/privkey.pem;3.证书续期 最后要说的是续期,因为证书只有90天,所以建议85左右的时候进行一次续期,续期很简单可以交给crontab进行完成,执行:
0 0 */85 * * /usr/local/nginx/conf/ss/letsencrypt-auto certonly --renew-by-default --email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d blog.wanggaoli.com &> /data/wwwlogs/let.log
yum -y install letsencrypt
letsencrypt certonly –manual –email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d zabbix.wanggaoli.com -d jumpserver.wanggaoli.com
0 0 */85 * * letsencrypt certonly –renew-by-default –email 766083824@qq.com -d wanggaoli.com -d www.wanggaoli.com -d pic.wanggaoli.com -d zabbix.wanggaoli.com -d jumpserver.wanggaoli.com && nginx -t && nginx -s reload
curl https://get.acme.sh | sh
source ~/.bashrc
export Ali_Key='123456'
export Ali_Secret='123456'
acme.sh --issue --dns dns_ali --force -d 'wanggaoli.com' -d '*.wanggaoli.com'
acme.sh --renew -d 'wanggaoli.com' --force