免费SSL安全证书Let's Encrypt安装使用及Nginx配置
Let's Encrypt CA 项目由非赢利组织 Internet Security Research Group (ISRG) 运营,由Mozilla、思科、Akamai、IdenTrust、EFF 和密歇根大学等组织发起,向网站自动签发和管理免费SSL证书,以加速互联网从 HTTP 向 HTTPS 过渡。
Let's Encrypt 官方网站:https://letsencrypt.org/
Let's Encrypt 项目主页:https://github.com/letsencrypt/letsencrypt
1、安装Let's Encrypt脚本依赖环境
# CentOS 6 yum install centos-release-SCL && yum update yum install python27 scl enable python27 bash yum install python27-python-devel python27-python-setuptools python27-python-tools python27-python-virtualenv yum install augeas-libs dialog gcc libffi-devel openssl-devel python-devel yum install python-argparse # CentOS 7 yum install -y git python27 yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel yum install python-argparse
2、获取Let's Encrypt并生成SSL证书
yum install git-core git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt ./letsencrypt-auto certonly --email admin@qiquanji.com -d www.qiquanji.com --webroot -w /home/html --agree-tos
如果多个域名可以加多个-d 域名
生成证书后会有如下提示:
3、Nginx虚拟主机的设置
listen 443 ssl; server_name www.qiquanji.com; index index.html index.htm index.php default.html default.htm default.php; root /home/html; charset utf-8; ssl on; ssl_certificate /etc/letsencrypt/live/www.qiquanji.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.qiquanji.com/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; error_page 497 https://$host$uri; #http重定向到https
需将上述配置根据自己的实际情况修改后。
然后执行:/etc/init.d/nginx reload 重新载入配置使其生效。
如果需要HSTS,可以加上
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
4、证书续期
因为证书只有90天,所以建议60左右的时候进行一次续期,续期很简单可以交给crontab进行完成,执行:
cat >/root/renew-ssl.sh<<EOF #!/bin/bash mkdir -p /home/html/.well-known/acme-challenge /root/letsencrypt/letsencrypt-auto --renew-by-default certonly --email admin@qiquanji.com -d www.qiquanji.com --webroot -w /home/html --agree-tos /etc/init.d/nginx reload EOF chmod +x /root/renew-ssl.sh echo "0 3 */60 * * /root/renew-ssl.sh" >> /etc/crontab
本站声明:网站内容来源于网络,如有侵权,请联系我们https://www.qiquanji.com,我们将及时处理。
微信扫码关注
更新实时通知