A mounting certbot
Ubuntu system:
$ the sudo APT-GET the install Software-Properties-Common
$ the sudo the Add-APT-Repository PPA: certbot / certbot
$ the sudo APT-GET Update
$ the sudo APT-GET the install Python-certbot-Nginx
= ================================================== =====================
If CentOS 6,7, to execute: yum the install Release EPEL-
CD / the root /
wget https://dl.eff.org / certbot-Auto-Check-Certificate --no
the chmod a + X ./certbot-auto
./certbot-auto -n
./certbot-auto -n is used to install dependencies. Note: python2.7 need more
attention : some domestic users is reflected get stuck in Installing Python packages ... this place does not move, because the default source pip is foreign, domestic may be a bit slow, you can execute the following command to modify the source for domestic pip:
mkdir ~ /. PIP
CAT> ~ / .pip / pip.conf << the EOF
[, Ltd. Free Join]
index-url = https://pypi.doubanio.com/simple/
[install]
Trusted-Host = pypi.doubanio.com
EOF
Second, obtain a certificate
2.1, a single domain:
Ubuntu: certbot certonly --webroot -w / var / WWW / SSL alory198.com -d -d www.alory19x.com --agree-TOS --email [email protected]
CentOS: / the root / Auto-certbot certonly --webroot -w / usr / local / Nginx / Web / SSL alory19x.com -d -d www.alory19x.com --agree-TOS --email [email protected]
-------------- of parameters:
* Certonly only obtain a certificate
* --Webroot to webroot plug-in to get a certificate
* -W to be used in conjunction with --webroot parameter to specify the root of the site
* -D specify a domain name
* --Agree-tos intention ACME user agreement (If you omit this, then in the course of the command will ask if agreed)
* --Email specified mailbox for receiving notifications (if this is omitted, then during the execution command will write)
: 2.2, multi-domain
if there is a plurality of domain name, in accordance with one -w / var / www / example take the form of a -d example.com continued input.
Examples: certbot certonly --webroot -w / var / www / ssl -d www.alory19x.com -d alory19x.com -w / var / www / ssly -d alory19y.com -d alory19y.com
2.3 Note:
Because the default virtual host LNMP is prohibited in hidden files and directories beginning, so visit this link http://alory19x.com/.well-known/acme-challenge/**** return. 403 errors must want virtual host configuration file corresponding to the
LOCATION ~ / \.
{
the deny All;
}
this configuration arranged to delete or comment or preceded in this
LOCATION ~ {/.well-known
the allow All ;
}
method for obtaining the domain name of 2.4, the root directory is not present machine
2.4.1 certbot need to verify the configuration directory to a directory of the machine,
the column of configuration to / opt / ssl directory
LOCATION ~ {/.well-known
the root / opt / SSL;
### certbot need to verify the configuration of the machine to the directory / opt / ssl directory
}
LOCATION ~ {/.well-known
the allow All;
}
2.4.2 using --standalone
But sometimes some of our services and not the root directory, for example, a number of micro-services, this time using --webroot to a dead end. certbot there is another mode --standalone, this model does not need to specify the root of the site, he will automatically enable the port 443 of the server to verify ownership of the domain name. We have other services (eg nginx) takes up 443 port, you must first stop these services, after the certificate is generated, the re-enabled.
Column such as: ./ certbot-auto certonly --standalone -dalory19x.com -d alory19x.com --agree-tos --email [email protected]
Third, configure nginx
after the certificate generation is successful, there will be prompt Congratulations and tell us certificates in the / etc / letsencrypt / live / this position corresponding directory, which can be configured in nginx
Server
{
the listen 443 ssl;
ssl oN;
ssl_certificate /etc/letsencrypt/live/alory19x.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alory19x.com/privkey.pem;
# here will change the location of the certificate to be configured as their own path.
the root / Home / Guest / Test;
server_name alory19x.com;
index index.html index.htm;
}
Server
{
the listen 80;
server_name alory19x.com;
return 301 HTTPS: // $ $ Host REQUEST_URI;
}
====== ========================= should pay attention to: the above operations are carried out on a single server, instead of executing the command is a machine, the domain name is Further a machine. =====================
Fourth, the certificate renewal
Ubuntu: certbot renew a certificate valid for only 90 days, use this command automatically updated.
centos / root / certbot-auto renew a certificate valid for only 90 days, use this command automatically updated.
When a domain name is a reverse proxy, when there will be error, because the use of my domain name to generate a certificate when is --standalone mode, the time domain verification, you need to enable port 443, the port means that this mistake has been to enable occupied. This time I had to turn off the nginx, in order to succeed.
A certificate is 90 days overdue, we only need to perform updates on it before it expires. This matter can be directly handed over to timed task to complete. There cron on linux systems can get this thing.
This means that the content of the following update operation is performed every two months early morning 3:35.
35 3 * * / 2 * / root / certbot-auto renew --pre-hook "/ usr / local / nginx / sbin / nginx -s stop" --post-hook "/ usr / local / nginx / sbin / nginx "
35. 3 * * / 2 * / the root / Auto-Renew certbot --force-Renew" / usr / local / Nginx / sbin / -s Nginx STOP "--post-Hook" / usr / local / Nginx / sbin / nginx "this command is to update the certificate.
Parameter Explanation:
--pre-Hook This parameter indicates the need to do something before performing the update, because I have a certificate --standalone mode, so it is necessary to stop nginx service, lifting the port occupied.
--post-hook This parameter indicates the execution after the completion of the update operation needs to be done, here on the resumption of services enabled nginx
Ubuntu system:
$ the sudo APT-GET the install Software-Properties-Common
$ the sudo the Add-APT-Repository PPA: certbot / certbot
$ the sudo APT-GET Update
$ the sudo APT-GET the install Python-certbot-Nginx
= ================================================== =====================
If CentOS 6,7, to execute: yum the install Release EPEL-
CD / the root /
wget https://dl.eff.org / certbot-Auto-Check-Certificate --no
the chmod a + X ./certbot-auto
./certbot-auto -n
./certbot-auto -n is used to install dependencies. Note: python2.7 need more
attention : some domestic users is reflected get stuck in Installing Python packages ... this place does not move, because the default source pip is foreign, domestic may be a bit slow, you can execute the following command to modify the source for domestic pip:
mkdir ~ /. PIP
CAT> ~ / .pip / pip.conf << the EOF
[, Ltd. Free Join]
index-url = https://pypi.doubanio.com/simple/
[install]
Trusted-Host = pypi.doubanio.com
EOF
Second, obtain a certificate
2.1, a single domain:
Ubuntu: certbot certonly --webroot -w / var / WWW / SSL alory198.com -d -d www.alory19x.com --agree-TOS --email [email protected]
CentOS: / the root / Auto-certbot certonly --webroot -w / usr / local / Nginx / Web / SSL alory19x.com -d -d www.alory19x.com --agree-TOS --email [email protected]
-------------- of parameters:
* Certonly only obtain a certificate
* --Webroot to webroot plug-in to get a certificate
* -W to be used in conjunction with --webroot parameter to specify the root of the site
* -D specify a domain name
* --Agree-tos intention ACME user agreement (If you omit this, then in the course of the command will ask if agreed)
* --Email specified mailbox for receiving notifications (if this is omitted, then during the execution command will write)
: 2.2, multi-domain
if there is a plurality of domain name, in accordance with one -w / var / www / example take the form of a -d example.com continued input.
Examples: certbot certonly --webroot -w / var / www / ssl -d www.alory19x.com -d alory19x.com -w / var / www / ssly -d alory19y.com -d alory19y.com
2.3 Note:
Because the default virtual host LNMP is prohibited in hidden files and directories beginning, so visit this link http://alory19x.com/.well-known/acme-challenge/**** return. 403 errors must want virtual host configuration file corresponding to the
LOCATION ~ / \.
{
the deny All;
}
this configuration arranged to delete or comment or preceded in this
LOCATION ~ {/.well-known
the allow All ;
}
method for obtaining the domain name of 2.4, the root directory is not present machine
2.4.1 certbot need to verify the configuration directory to a directory of the machine,
the column of configuration to / opt / ssl directory
LOCATION ~ {/.well-known
the root / opt / SSL;
### certbot need to verify the configuration of the machine to the directory / opt / ssl directory
}
LOCATION ~ {/.well-known
the allow All;
}
2.4.2 using --standalone
But sometimes some of our services and not the root directory, for example, a number of micro-services, this time using --webroot to a dead end. certbot there is another mode --standalone, this model does not need to specify the root of the site, he will automatically enable the port 443 of the server to verify ownership of the domain name. We have other services (eg nginx) takes up 443 port, you must first stop these services, after the certificate is generated, the re-enabled.
Column such as: ./ certbot-auto certonly --standalone -dalory19x.com -d alory19x.com --agree-tos --email [email protected]
Third, configure nginx
after the certificate generation is successful, there will be prompt Congratulations and tell us certificates in the / etc / letsencrypt / live / this position corresponding directory, which can be configured in nginx
Server
{
the listen 443 ssl;
ssl oN;
ssl_certificate /etc/letsencrypt/live/alory19x.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alory19x.com/privkey.pem;
# here will change the location of the certificate to be configured as their own path.
the root / Home / Guest / Test;
server_name alory19x.com;
index index.html index.htm;
}
Server
{
the listen 80;
server_name alory19x.com;
return 301 HTTPS: // $ $ Host REQUEST_URI;
}
====== ========================= should pay attention to: the above operations are carried out on a single server, instead of executing the command is a machine, the domain name is Further a machine. =====================
Fourth, the certificate renewal
Ubuntu: certbot renew a certificate valid for only 90 days, use this command automatically updated.
centos / root / certbot-auto renew a certificate valid for only 90 days, use this command automatically updated.
When a domain name is a reverse proxy, when there will be error, because the use of my domain name to generate a certificate when is --standalone mode, the time domain verification, you need to enable port 443, the port means that this mistake has been to enable occupied. This time I had to turn off the nginx, in order to succeed.
A certificate is 90 days overdue, we only need to perform updates on it before it expires. This matter can be directly handed over to timed task to complete. There cron on linux systems can get this thing.
This means that the content of the following update operation is performed every two months early morning 3:35.
35 3 * * / 2 * / root / certbot-auto renew --pre-hook "/ usr / local / nginx / sbin / nginx -s stop" --post-hook "/ usr / local / nginx / sbin / nginx "
35. 3 * * / 2 * / the root / Auto-Renew certbot --force-Renew" / usr / local / Nginx / sbin / -s Nginx STOP "--post-Hook" / usr / local / Nginx / sbin / nginx "this command is to update the certificate.
Parameter Explanation:
--pre-Hook This parameter indicates the need to do something before performing the update, because I have a certificate --standalone mode, so it is necessary to stop nginx service, lifting the port occupied.
--post-hook This parameter indicates the execution after the completion of the update operation needs to be done, here on the resumption of services enabled nginx