網域名稱添加HTTPS

標籤：form   debug   rto   port   pack   blog   csharp   通過   drop   

利用Let‘s Encrypt 免費產生HTTPS認證

1. 下載安裝certbot(Let‘s Encrypt )
2. 利用certbot產生認證
3. 配置nginx的https認證

安裝cerbot

[[email protected] ~]# wget https://dl.eff.org/certbot-auto[[email protected] ~]# chmod a+x certbot-auto[[email protected] ~]#./certbot-auto　　

利用certbot產生認證

給一個網域名稱產生認證

[[email protected] certbot]# ./certbot-auto certonly --email  [email protected] --agree-tos --webroot -w  /alidata1/www/timecash22/api3  -d  xxxx.zjm.cn/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6  DeprecationWarningSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:http-01 challenge for xxx.zjm.cnUsing the webroot path /alidata1/www/timecash22/api3 for all unmatched domains.Waiting for verification...Cleaning up challengesIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at   /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem. Your   cert will expire on 2017-09-06. To obtain a new or tweaked version   of this certificate in the future, simply run certbot-auto again.   To non-interactively renew *all* of your certificates, run   "certbot-auto renew" - If you like Certbot, please consider supporting our work by:   Donating to ISRG / Let‘s Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le


-w:指定網域名稱的根目錄-d:指定網域名稱

Note:認證已經產生到了/etc/letsencrypy/live/xxx.zjm.cn下

Nginx配置https認證

server {      listen 443 ssl;    ....    ssl_certificate /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/xxx.zjm.cn/privkey.pem;    ssl_dhparam /etc/nginx/ssl/dhparam.pem;   }

ssl_certificate和ssl_certificate_key分別對應fullchain.pem,privkey.pem

ssl_dhparam通過以下命令產生

$ sudo mkdir /etc/nginx/ssl$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

給多個網域名稱產生一個認證,也就是多個網域名稱使用一個ssl認證

./certbot-auto certonly --email [email protected] --agree-tos --webroot -w /var/www/laozuo -d laozuo.org -d www.laozuo.org -w /var/www/laobuluo -d laobuluo.com -d www.laobuluo.com

自動更新https認證

由於這個免費的認證只有90天的使用時間,所以遇到定時更新以下認證,這裡是利用certbot每隔一段時間自動更新認證

手動執行更新

./certbot-auto  renew --dry-run

結合crontab每隔一段時間自動更新認證

30 2 * * 1 ./certbot-auto  renew  >> /var/log/le-renew.log

 

網域名稱添加HTTPS