lets encrypt github地址为:https://github.com/certbot/certbot
1.
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt chmod +x letsencrypt-auto
./letsencrypt-auto certonly --email 2358269014@qq.com -d fecshop.appfront.fancyecommerce.com -d fecshop.appfront.es.fancyecommerce.com
-d参数后面对应的是域名,在执行的过程中,我遭遇了下面的报错:
Total size: 44 M Downloading Packages: Running rpm_check_debug ERROR with rpm_check_debug vs depsolve: libgdbm.so.2()(64bit) is needed by python-libs-2.6.6-66.el6_8.x86_64 ** Found 7 pre-existing rpmdb problem(s), 'yum check' output follows: 4:perl-5.10.1-141.el6_7.1.x86_64 has missing requires of libgdbm.so.2()(64bit) 4:perl-devel-5.10.1-141.el6_7.1.x86_64 has missing requires of gdbm-devel polkit-0.96-5.el6_4.x86_64 has missing requires of libeggdbus-1.so.0()(64bit) 2:postfix-2.6.6-6.el6_5.x86_64 has missing requires of libmysqlclient.so.16()(64bit) 2:postfix-2.6.6-6.el6_5.x86_64 has missing requires of libmysqlclient.so.16(libmysqlclient_16)(64bit) 2:postfix-2.6.6-6.el6_5.x86_64 has missing requires of mysql-libs python-libs-2.6.6-52.el6.x86_64 has missing requires of libgdbm.so.2()(64bit) Your transaction was saved, rerun it with: yum load-transaction /tmp/yum_save_tx-2017-04-07-22-1798AqLE.yumtx Could not install OS dependencies. Aborting bootstrap!
centos 6 需要安装 libgdbm.so.2
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/gdbm-1.8.0-39.el6.x86_64.rpm yum localinstall gdbm-1.8.0-39.el6.x86_64.rpm
完成后,重新执行上面的命令行:
./letsencrypt-auto certonly --standalone --email 2358269014@qq.com -d fecshop.appfront.fancyecommerce.com -d fecshop.appfront.es.fancyecommerce.com -d img.appfront.fancyecommerce.com -d img.apphtml5.fancyecommerce.com -d img.fancyecommerce.com
下面的安装就比较顺利了,下面是我的log
[root@iZ942k2d5ezZ certbot-master]# ./letsencrypt-auto certonly --email 2358269014@qq.com -d fecshop.appfront.fancyecommerce.com -d fecshop.appfront.es.fancyecommerce.com /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 DeprecationWarning Saving debug log to /var/log/letsencrypt/letsencrypt.log Failed to find executable apachectl in PATH: /usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Place files in webroot directory (webroot) 2: Spin up a temporary webserver (standalone) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for fecshop.appfront.fancyecommerce.com tls-sni-01 challenge for fecshop.appfront.es.fancyecommerce.com ------------------------------------------------------------------------------- Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again. ------------------------------------------------------------------------------- (R)etry/(C)ancel: R ------------------------------------------------------------------------------- Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again. ------------------------------------------------------------------------------- (R)etry/(C)ancel: R Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem. Your cert will expire on 2017-07-06. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@iZ942k2d5ezZ certbot-master]# ls
在nginx中添加代码:
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
注意上面的文件路径 ,将 fecshop.appfront.fancyecommerce.com 替换成您的文件路径。因为不同的域名生成的文件名字不同,
nginx填写完的代码如下:
server {
listen 80 ;
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server_name fecshop.appfront.fancyecommerce.com fecshop.appfront.es.fancyecommerce.com;
root /www/web/develop/fecshop/appfront/web;
server_tokens off;
include none.conf;
index index.php index.html index.htm;
access_log /www/web_logs/access.log wwwlogs;
error_log /www/web_logs/error.log notice;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
location ~ /sitemap.xml
{
if ($host ~ .*appfront.es.fancyecommerce.com) {
rewrite ^/sitemap\.xml /sitemap_es.xml last;
}
}
location /fr/ {
index index.php;
if (!-e $request_filename){
rewrite . /fr/index.php last;
}
}
location /es/ {
index index.php;
if (!-e $request_filename){
rewrite . /es/index.php last;
}
}
location /cn/ {
index index.php;
if (!-e $request_filename){
rewrite . /cn/index.php last;
}
}
location /de/ {
index index.php;
if (!-e $request_filename){
rewrite . /de/index.php last;
}
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 12h;
}
location /api {
rewrite /api/([a-z][0-9a-z_]+)/?$ /api.php?type=$1;
}
}
重启nginx,就可以访问https了
2自动续签
lets encrypt证书有三个月的到期时间。可以自动renew,步骤如下:
官方资料:https://certbot.eff.org/docs/using.html?highlight=renew#renewing-certificates
改写到期更新时间
vim /etc/letsencrypt/renewal/fecshop.appfront.fancyecommerce.com.conf
fecshop.appfront.fancyecommerce.com.conf是您生成的名字,这个根据您自己域名,不是我的这个名字,打开这个文件,
将第一行的注释去掉,修改为89days
renew_before_expiry = 89 days version = 0.13.0
89days代表,多少天之前算过期,证书过期时间为90天,如果我设置了89,那么第二天就需要renew了,
如果您设置了30天,那么就是2个月后需要renew,如果时间没到,renew会提示失败。
改好文件后,进入letsencrypt 文件夹,执行
./certbot-auto renew --force-renewal --pre-hook "/etc/init.d/nginx stop" --post-hook "/etc/init.d/nginx start"
`–force-renewal`: 代表强制renew
`–pre-hook`: 是nginx关闭的命令,因为renew需要关闭nginx
`–post-hook`: 是nginx开启的命令,搞完证书后,开启nginx
自动续签可以使用crontab来完成,在linux中执行 crontab -e
添加代码:(www/web_logs/letsencry.log 为日志文件,您需要新建这个文件并设置可写)
06 06 * * * /www/web/test/lets/certbot-master/certbot-auto renew --force-renewal --pre-hook "/etc/init.d/nginx stop" --post-hook "/etc/init.d/nginx start" >> /www/web_logs/letsencry.log 2>&1
下面是我的日志:
[root@iZ942k2d5ezZ certbot-master]# ./certbot-auto renew --force-renewal --pre-hook "/etc/init.d/nginx stop" --post-hook "/etc/init.d/nginx start" /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 DeprecationWarning Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/fecshop.appfront.fancyecommerce.com.conf ------------------------------------------------------------------------------- Running pre-hook command: /etc/init.d/nginx stop Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for fecshop.appfront.fancyecommerce.com tls-sni-01 challenge for fecshop.appfront.es.fancyecommerce.com tls-sni-01 challenge for img.appfront.fancyecommerce.com tls-sni-01 challenge for img.apphtml5.fancyecommerce.com tls-sni-01 challenge for img.fancyecommerce.com Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem ------------------------------------------------------------------------------- Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem (success) Running post-hook command: /etc/init.d/nginx start [root@iZ942k2d5ezZ certbot-master]#
3.开启http2
可以更快的加载https,关于http2的资料为:http://www.jianshu.com/p/47d02f10757f
nginx安装的时候需要添加:
./configure --with-http_v2_module
然后在nginx的ssl配置将listen 443 ssl ;改为:
listen 443 ssl http2;
这样就开启http2了,http2可以更快的加载。
http2的资料:
http://www.infoq.com/cn/news/2015/02/https-spdy-http2-comparison/
4.强制使用https,http访问进行跳转
server {
listen 80;
server_name fecshop.appfront.fancyecommerce.com fecshop.appfront.es.fancyecommerce.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
其他参考地址:https://www.v2ex.com/t/310130
另外,可以设置成http2的方式,链接为:http://www.jianshu.com/p/47d02f10757f