在nginx 使用Let’s Encrypt 免费的SSL/TLS 证书
来自: https://xiequan.info/在nginx-使用lets-encrypt-免费的ssltls-证书/
Let’s Encrypt 是一个将于2015年末推出的 数字证书认证机构 ,将通过旨在消除当前手动创建和安装证书的复杂过程的自动化流程,为安全网站提供免费的 SSL / TLS 证书。 [1] [2]
Let’s Encrypt 是由 互联网安全研究小组 (ISRG,一个公益组织)提供的服务。主要赞助商包括 电子前哨基金会 , Mozilla基金会 , Akamai 以及 思科 。2015年4月9日,ISRG与 Linux基金会 宣布合作。
用以实现这一新的数字证书认证机构的协议被称为自动证书管理环境(ACME)。 GitHub 上有这一规范的草案,且提案的一个版本已作为一个Internet草案发布。
Let’s Encrypt 宣称这一过程将十分简单、自动化并且免费。
2015年8月7日,该服务更新其推出计划,预计将在2015年9月7日当周某时发布首个证书,随后向列入白名单的域名发行少量证书并逐渐扩大发行。若一切按计划进行,该服务预计将在2015年11月16日当周某时全面开始提供。
首先下载Let’s Encrypt Client
$ sudo apt-get update $ sudo apt-get install -y git $ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt $ cd /opt/letsencrypt $ sudo ./letsencrypt-auto
$ sudoapt-getupdate $ sudoapt-getinstall -y git $ sudogitclone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt $ cd /opt/letsencrypt $ sudo ./letsencrypt-auto
为Let’s Encrypt Temporary File创建一个模板
我们在webroot-path/.well-known/acme-challenge/通过Let’s Encrypt client创建一个临时文件包含了使用Encrypt server验证你域名去获得验证的token 。webroot‑path在我们接下来的示例中代表/var/www/letsencrypt
我们通过这个 GitHub Gist 创建一个模板文件包含Let’s Encryp需要发出的证书,不使用模板的话我们可以通过Let’s Encrypt 命令行来设置参数。
1.创建Let’s Encrypt保存临时文件的目录和指定需要的权限:
$ cd /var/www $ mkdir letsencrypt $ sudo chgroup www-data letsencrypt
$ cd /var/www $ mkdirletsencrypt $ sudochgroupwww-dataletsencrypt
2.创建/etc/letsencrypt/configs/my-domain.conf文件,my‑domain是你需要实现https的域名拷贝Gist里面的内容,然后为domains,rsa-key-size,server和email这几个字段指定合适的值
# the domain we want to get the cert for; # technically it's possible to have multiple of this lines, but it only worked # with one domain for me, another one only got one cert, so I would recommend # separate config files per domain. domains = my-domain # increase key size rsa-key-size = 2048 # Or 4096 # the current closed beta (as of 2015-Nov-07) is using this server server = https://acme-v01.api.letsencrypt.org/directory # this address will receive renewal reminders email = my-email # turn off the ncurses UI, we want this to be run as a cronjob text = True # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) # and then letting LE fetch it authenticator = webroot webroot-path = /var/www/letsencrypt/
# the domain we want to get the cert for; # technically it's possible to have multiple of this lines, but it only worked # with one domain for me, another one only got one cert, so I would recommend # separate config files per domain. domains = my-domain # increase key size rsa-key-size = 2048 # Or 4096 # the current closed beta (as of 2015-Nov-07) is using this server server = https://acme-v01.api.letsencrypt.org/directory # this address will receive renewal reminders email = my-email # turn off the ncurses UI, we want this to be run as a cronjob text = True # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) # and then letting LE fetch it authenticator = webroot webroot-path = /var/www/letsencrypt/
让Let’s Encrypt去访问临时文件
1.在Nginx 中配置一个虚拟server
server { listen 80 default_server; server_name my-domain; location /.well-known/acme-challenge { root /var/www/letsencrypt; } ... }
server { listen 80 default_server; server_namemy-domain; location /.well-known/acme-challenge { root /var/www/letsencrypt; } ... }
2.验证配置文件然后重新启动Nginx
$ sudo nginx -t && sudo nginx -s reload
$ sudonginx -t && sudonginx -s reload
请求证书
通过上面的步骤我们万事俱备了,我们可以请求证书了。
$ cd /opt/letsencrypt $ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly Updating letsencrypt and virtual environment dependencies...... Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/my-domain.conf certonly IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/my-domain/fullchain.pem. Your cert will expire on date. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
$ cd /opt/letsencrypt $ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.confcertonly Updatingletsencryptand virtualenvironmentdependencies...... Requestingrootprivilegesto runwithvirtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/my-domain.confcertonly IMPORTANTNOTES: - Congratulations! Yourcertificateand chainhavebeensavedat /etc/letsencrypt/live/my-domain/fullchain.pem. Yourcert willexpireondate. To obtain a new versionofthe certificatein thefuture, simplyrunLet's Encryptagain.
Nginx加载证书
1.在Nginx的配置文件中添加下面内容(这里默认你是会配置Nginx)
server { listen 443 ssl default_server; server_name my-domain; ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem; ... }
server { listen 443 ssldefault_server; server_namemy-domain; ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem; ... }
2.重新启动Nginx,Nginx每修改一次配置文件都需要通过重启加载新的配置
$ sudo nginx -t && sudo nginx -s reload
$ sudonginx -t && sudonginx -s reload
自动申请Let’s Encrypt Certificates的有效期
Let’s Encrypt certificates的免费使用时间只有90天,时间到了之后我们就需要重新续签就像签证一样。可能你会忘记。然而我们可以通过cron 这个程序来帮助我们完成自动操作
1.我们可以创建一个shell 脚本
#!/bin/sh cd /opt/letsencrypt/ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Let's Encrypt cert has not been renewed! \n \n" \ $ERRORLOG else nginx -s reload fi exit 0
#!/bin/sh cd /opt/letsencrypt/ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.confcertonly if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Let's Encrypt cert has not been renewed! \n \n" \ $ERRORLOG else nginx -s reload fi exit 0
2.创建一个 /var/log/letsencrypt/目录
3.运行 crontab -e 让我们写的脚本程序每2个月执行一次
0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh
0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh
Nginx官方教程: https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
在nginx 使用Let’s Encrypt 免费的SSL/TLS 证书
</div>