1.网站环境
阿里云Ubuntu 16.04 64位
Nginx:nginx/1.10.3
let's encrypt
2.安装管理证书的客户端
Let's Encrypt的客户端有几种,本文选用certbot客户端
step 1 在Ubuntu系统上,安装 Let's Encrypt的客户端Certbot
2.在Ubuntu系统上,安装 Let's Encrypt的客户端Certbot
On Ubuntu systems, the Certbot team maintains a PPA. You can add it to your list of repositories and install Certbot by running the following commands.
2.1 在Ubuntu系统上,我们要安装客户端Certbot,首先要解决的问题是执行哪些命令。
我们直接去Certbot的官方网站,打开官网:https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx
选择操作系统类型为Ubuntu,web服务器为nginx,安装命令就会出来了。
得到的命令如下:
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx step 2 签发 SSL 证书
3.1 为域名生成证书
$sudo certbot --nginx -d your-domian.com -d www.iaspnetcore.com按提示输入你的邮箱地址,选择接受 Let’s Encrypt 的协议。出现下面的提示:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
选择 2,直接将你的 nginx 文件配置好并且是会将 http 跳转到 https 。
选择完毕之后,等待 SSL 生成完毕,就会有类似这样的输出:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.iaspnetcore.com/fullchain.pem. Your cert will
expire on 2017-12-29. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
结果如下:
3.2 生成的域名证书所在的目录
/etc/letsencrypt/live/www.iaspnetcore.com
cert.pem: 你不用关心 (这个实际上是服务器证书文件)
chain.pem: 你不用关心 (这个实际上是… 自己看文档吧, 我没读懂. 貌似是个递归查找用的链式证书)
fullchain.pem: cert.pem + chain.pem 的合体. 需要配置到 nginx 配置文件中的 ssl_certificate .
privkey.pem: 私钥. 需要配置到 nginx 配置文件中的 ssl_certificate_key .
step 3 自动更新证书
Let’s Encrypt 签发的 SSL 证书有效期只有 90 天,在过期之前,需要自动更新 SSL 证书,如果你使用最新的 certbot ,Let’s Encrypt 会帮你添加自动更新的脚本到 /etc/cron.d 里,你只需要去检测一下这个命令是否生效就OK!如果执行下面的命令没出现 error信息,那就是没什么问题。
sudo certbot renew --dry-run参考资源:
1.Ubuntu 16.04 配置 Let’s Encrypt 实现站点 SSL
2.
https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx
3.How to Install YOURLS on Ubuntu with Nginx and Let’s Encrypt step by step