Let's Encrypt部署Https证书

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/u010277446/article/details/80365307

Let’s Encrypt部署Https证书

安装Certbot

1.安装certbot

apt -t jessie-backports install certbot

证书生成过程

1.配置nginx

location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root     /home/workspace/www;
}

location = /.well-known/acme-challenge/ {
   return 404;
}

2.生成证书

certbot certonly -d www.example.cn

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.example.cn

Select the webroot for www.example.cn:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for www.example.cn: (Enter 'c' to cancel):/home/workspace/www/

3.成功

Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.example.cn/fullchain.pem. Your cert will
   expire on 2018-02-25. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4.设置nginx配置https证书

• 侦听80端口，将所有80请求强制转到https请求

server {
        #监听端口, http强制转到https
        listen 80;
        server_name  www.example.cn;

        return 301 https://$server_name$request_uri;
}

• 配置https证书

server {
        # listen 80;
        listen 443 ssl ;
        server_name  www.example.cn;
        ssl_certificate /etc/letsencrypt/live/www.example.cn/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.example.cn/privkey.pem;
        # ....
}

证书自动更新

1.模拟证书更新

certbot renew --dry-run

2.设置定时任务

crontab -e
10 3 */15 * * certbot renew >> /var/log/nginx/certrenew.log