本文默认您已有域名,可供访问
环境:ubunut16.04
证书机构:Let’s Encrypt - EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立的一个组织
脚本工具:Cerbot - 专门为Let’s encrypt制作的一个管理证书工具
服务器: Nginx
域名平台服务商:腾讯云
开始
安装nginx
sudo apt-get update
sudo apt-get install nginx
配置Nginx
## /etc/nginx/conf.d/next.conf
server
{
listen 80;
server_name kuwanfront.cn;
}
安装Cerbot脚本工具
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y python-certbot-nginx
通过Cerbot获取证书
## kuwanfront.cn 是我的域名,欢迎大家访问
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --installer nginx -d *.kuwanfront.cn -d kuwanfront.cn
一路enter,直至出现以下信息,**Waiting for verification…**等待验证
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
// _acme-challenge.kuwanfront.cn 是主机的记录值
_acme-challenge.kuwanfront.cn with the following value:
*****mMQ79RnTbZ_AcflHDgZsIO_3IhGfC****** // 这里是你申请的token值,请复制好
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
前往腾讯云(其他平台大同小异)域名解析管理处,新增解析记录,记录值为 _acme-challenge,记录类型为TXT,记录值为上面我们申请到的token
做好这一步,请拿起水杯,悠闲的泡个咖啡,看看周围的植物(解析记录生效一般需要10分钟左右)
接下来,回到服务器,按下回车键,开始验证,出现以下信息,则说明您已正确解析
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/nginx/sites-enabled/default
Addresses: 80 default_server, [::]:80 default_server
Names: _
HTTPS: No
2: File: /etc/nginx/conf.d/next.conf
Addresses: 80
Names: www.kuwanfront.cn, kuwanfront.cn
HTTPS: No
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
如果你有多个域名,这里可以通过输入数字来配置对应的域名,我不需要直接输入 c 回车继续
接下来,会询问你是否允许将http流量重定向到https, That so be ok! 直接输入 c 回车继续
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
若出现以下信息,则说明您已配置完毕
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/kuwanfront.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/kuwanfront.cn/privkey.pem
Your cert will expire on 2020-07-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
此时,打开 /etc/nginx/conf.d/next.conf,你会发现Cerbot会自动将你的配置进行修改如下
server {
listen 80;
server_name www.kuwanfront.cn kuwanfront.cn;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/kuwanfront.cn/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/kuwanfront.cn/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
验证配置是否正确
nginx -t
重启nginx服务
nginx -s reload
HTTPS证书将于三个月后到期
# 手动更新
cerbot renew -v
# 自动更新
cerbot renew --quiet --no-self-upgrade