# Let’s Encrypt证书生成及配置
# 简介
Let’s Encrypt 提供免费的SSL证书,证书有效期最长90天,可以多次连续申请,申请方便。基于ACME协议验证用户对域名有使用权。可以使用FTP、WEB、DNS三种方式来验证域名的有效性。在线手动申请可参考 (https://www.sslforfree.com/)
现在可以申请通配符域名证书 (http://www.infoq.com/cn/news/2018/03/lets-encrypt-wildcard-https)
官方入门 (https://letsencrypt.org/getting-started/)
以下是通过WEB方式验证域名有效性,以nginx为例,如果是tomcat,生成的证书文件还需要进行格式转换(方法见 (https://blog.kyletang.work/2018/05/10/pem2jks/) )
# 准备条件
- 有一个域名,比如 9px.in
- 解析到ip,比如 9px.in -> 45.32.53.16
- 配置一个web服务,需要80端口(WEB验证必须为80端口),比如nginx,注意,国内申请的域名和ip,需要先进行ICP备案后才能访问80端口
server
{
listen 80;
server_name 9px.in;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/9px.in;
#include none.conf;
#error_page 404 /404.html;
#include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
#location ~ /\.
#{
# deny all;
#}
access_log off;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 开始操作
- 安装Let’s Encrypt工具,从这里下载 https://certbot.eff.org/
- 执行letsencrypt-auto命令生成证书(certbot提供了更方便的方式,比如nginx on RHEL6 https://certbot.eff.org/lets-encrypt/centosrhel6-nginx,这里使用基础的命令)
cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in
1
命令执行的日志如下:提示Congratulations表示成功了。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for 9px.in
Using the webroot path /home/wwwroot/9px.in for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/9px.in/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/9px.in/privkey.pem
Your cert will expire on 2018-08-07. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
- 修改配置,增加SSL配置信息
server
{
listen 8000;
listen 80;
server_name 9px.in;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/9px.in;
##--SSL配置-start------------------------
ssl on;
ssl_certificate /etc/letsencrypt/live/9px.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/9px.in/privkey.pem;
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
##--SSL配置-end-------------------------
#include none.conf;
#error_page 404 /404.html;
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
#location ~ /\.
#{
# deny all;
#}
access_log off;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
- 重载nginx配置
#lnmp服务
lnmp nginx reload
1
2
2
- 大功告成
# 配置定时任务每月自动生成
- 设置定时任务,新建脚本renew-certs.sh,生成证书并重载nginx配置
#!/bin/bash
cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in
lnmp nginx reload
1
2
3
4
2
3
4
增加crontab每月1日凌晨3点执行renew-certs.sh脚本,crontab -e
0 3 1 * * /root/renew-certs.sh > /root/renew-certs.log 2>&1
1
- 执行脚本进行测试
/root/renew-certs.sh > /root/renew-certs.log 2>&1
1
# 参考链接
免费证书Let’s Encrypt官网: (https://letsencrypt.org/)
Let’s Encrypt官方的certbot工具: (https://certbot.eff.org/)
强壮的SSL配置推荐: (https://cipherli.st/)