最近项目上线,需要用到https,在网上找到了可以白嫖的证书,记录一下使用过程
Let’s Encrypt一个非盈利性的证书颁发机构,并且已经被大多数浏览器所信任,而我们可以使用Certbot(一个免费的开源软件工具),用于在手动管理的网站上自动使用Let’s Encrypt证书来启用HTTPS。
前提条件
要有一台服务器(nginx)和一个已经备案好的证书
安装Certbot
所有的证书相关的操作,都可以通过 Certbot 软件实现,直接下载就可以使用
# 下载 Certbot 客户端
wget https://dl.eff.org/certbot-auto
# 设为可执行权限
chmod a+x certbot-auto
# 查看帮助
./certbot-auto --help all
申请证书
./certbot-auto certonly -d “*.域名” --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
进入交互模式
[root@localhost ~]# ./certbot-auto certonly -d "*.域名" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for 域名
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
注意:此计算机的IP将被公开记录为已请求此操作证书。如果您在一台没有运行certbot的机器上以手动模式运行certbot
你的服务器,请确保你没问题。
你能接受你的IP被记录吗?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes(输入yes )
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
注意 这个地方一定要先在域名解析的地方加上一条TXT解析后,在按enter
Please deploy a DNS TXT record under the name
_acme-challenge(这个是主机记录).域名 with the following value:
ur_8Rd55kGtmgMG8Qm-7BFRGePFBvsXaTYac_imEeaQ(这一行是记录值)
Before continuing, verify the record is deployed.
在配置好后,再在终端处按回车键
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/域名-0001/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/域名-0001/privkey.pemYour cert will expire on 2021-01-22. To obtain a new or tweakedversion of this certificate in the future, simply run certbot-autoagain. To non-interactively renew *all* of your certificates, run"certbot-auto renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate在执行完成后,我们就能看到生成好的证书了,接下来就该配置nginx了
可以使用certificates检测证书状态
[root@localhost ~]# ./certbot-auto certificates
Found the following certs:Certificate Name: yxonline.art-0001Serial Number: 4af57dfc042762fbde35acdcb4490c50d30Domains: *.域名Expiry Date: 2021-01-22 04:49:59+00:00 (VALID: 84 days)Certificate Path: /etc/letsencrypt/live/域名-0001/fullchain.pemPrivate Key Path: /etc/letsencrypt/live/域名-0001/privkey.pem
配置nginx
在nginx配置文件中,配置443 ssl
将证书位置指向刚生成的证书位置上
ssl_certificate /etc/letsencrypt/live/域名-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/域名-0001/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/域名-0001/chain.pem;
在检查nginx配置文件,并重新加载nginx就可以了
在网页中打开相应的域名就可以看到证书信息了
为了安全,免费证书的有效时间是三个月,不过可以通过 ./certbot-auto renew 命令可以续签
将该命令放入计划任务中
在每天凌晨3点运行。该命令将检查服务器上的证书是否将在未来30天内过期,如果是,则进行更新。–quiet 指令告诉 certbot 不要生成输出。
0 3 * * * /root/certbot-auto renew --quiet
以上免费的通配符域名就生成成功啦