Let's Encrypt SSL 免費(fèi)證書出來一段時(shí)間了沥曹,不過我試用了好幾個(gè)第三方工具髓帽,都遇到不同的問題都沒成功奄薇,后干脆換回官方的工具驳阎,這里就以官方的工具為例寫個(gè)筆記。
官方證書工具下載:(如果還沒裝git就先安裝)
git clone https://github.com/letsencrypt/letsencrypt.git
官方工具有點(diǎn)無語就是需要占用443/80端口,也就是要把網(wǎng)站暫停一下呵晚,把Nginx或Apache臨時(shí)停掉
service nginx stop
或
service httpd stop
進(jìn)入letsencrypt目錄蜘腌,運(yùn)行:
./letsencrypt-auto certonly --standalone -d xxx.com -d www.xxx.com -m xxx@email.com --agree-tos
Note:上面xxx.com 和 xxx@email.com 請修改成自己的。郵箱不驗(yàn)證饵隙,不需要填你Whois的郵箱撮珠,這是用來丟失證書之后重置的。
稍等片刻金矛,程序自動(dòng)返回以下的成功信息
Requesting root privileges to run letsencrypt...
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert will
expire on 2016-07-14. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.If you lose your account credentials, you can recover through
e-mails sent to xxxx@email.com.Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.-
If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
證書是放在 /etc/letsencrypt/live/xxx.com 目錄芯急,其中fullchain.pem是拼好的完整證書鏈證書,privkey.pem是私鑰绷柒,將它們引用即可志于。
/etc/letsencrypt/live/xxx.com/fullchain.pem
/etc/letsencrypt/live/xxx.com/privkey.pem
當(dāng)然最后記得重啟Nginx或Apache就大功告成了。
Note:Let's Encrypt SSL 免費(fèi)證書是一種短期證書废睦,只有90天期限伺绽,到期前記得重新運(yùn)行一次命令即可續(xù)期90天了。
./letsencrypt-auto certonly --standalone -d xxx.com -d www.xxx.com -m xxx@email.com --agree-tos
當(dāng)然嗜湃,可以加進(jìn)cron定時(shí)任務(wù)里奈应,先在/root根目錄寫個(gè)腳本,比如命名為 ressl.sh
內(nèi)容如下:
#!/bin/bash service nginx stop cd /xxxx/letsencrypt ./letsencrypt-auto certonly --standalone -d xxx.com -d www.xxx.com -m xxx@email.com --agree-tos service nginx start
然后使用rontab -e
命令购披,加入以下內(nèi)容杖挣,這樣就可以定期每60天更新一次
0 0 1 */2 * /root/ressl.sh > /dev/null 2>&1
另:crontab -e
0 0 1 */2 * ./letsencrypt-auto renew >> /dev/null 2>&1
Note: 上面xxxx換成你所在的目錄和域名郵箱等,例如你是在root目錄下載的刚陡,就是 /root 目錄了