从Let’s encrypt获取免费ssl证书
Let’s encrypt已经开始公开测试,不需要再等邀请邮件。证书申请非常简单便捷,只需一个命令,不需要插件,可以很快的获取并绑定到 nginx等其他任何web服务器。
验证前准备
1. 将域名如 lets-encrypt.xdty.org 指向到你的操作机器ip。可以使用
来验证域名解析是否正确,注意如果使用dnspod的域名解析服务可能会出现8.8.8.8不能解析的问题。
2. 配置 nginx,使80端口指向到可访问的目录
listen 80;
server_name lets-encrypt.xdty.org;
charset utf-8;
root /var/www/lets-encrypt;
access_log /var/log/nginx/$host.access.log;
location / {
}
}
打开 lets-encrypt.xdty.org 测试,确保可以正确访问到目录。
下载 ACME 客户端
这个客户端是 Let’s encrypt 官方开发的客户端,用于域名验证和证书获取。
cd letsencrypt
认证域名及颁发证书
其中 certonly 表示只获取证书而不去更改web服务器配置,webroot表示使用网页目录验证域名,-w 指定域名绑定的目录,-d指定域名,可以包含多个-d和-w参数,多个-d参数可以用于生成多域名证书。 –email表示用于恢复的邮箱,可以使用任意邮箱地址,–agree-tos表示接受许可协议。
稍等片刻即会获得如下信息,表示获取证书成功
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/lets-encrypt/ -d lets-encrypt.xdty.org --email webmaster@xdty.org --agree-tos
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to webmaster@xdty.org.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/lets-encrypt.xdty.org/fullchain.pem. Your
cert will expire on 2016-03-06. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
更新nginx配置,启用https
listen 80;
listen 443 ssl;
listen [::]:80;
listen [::]:443 ssl;
server_name lets-encrypt.xdty.org;
ssl_certificate /etc/letsencrypt/live/lets-encrypt.xdty.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lets-encrypt.xdty.org/privkey.pem;
charset utf-8;
root /var/www/lets-encrypt;
access_log /var/log/nginx/$host.access.log;
location / {
}
}
访问 https://lets-encrypt.xdty.org 查看浏览器是否显示绿锁图标。检查证书详情可以看到没有任何的地址、邮件等个人信息。
更新证书及添加多域名
再次运行获取命令即可更新证书。
如再添加 lets-encrypt2.xdty.org lets-encrypt3.xdty.org 两个域名,
只需要多个 -d 参数指定域名即可生成一个多域名的证书,证书详情中的”certificate subject alternative name”会出现多个域名。同样注意新的域名要配置好nginx指向目录。如果目录不同,需要使用多个-w指定目录
更新 nginx server_name 配置
重新加载配置
签发证书
出现如下提示表示多域名证书签发成功
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/lets-encrypt/ -d lets-encrypt.xdty.org -d lets-encrypt2.xdty.org -d lets-encrypt3.xdty.org --email webmaster@xdty.org --agree-tos --renew-by-default
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/lets-encrypt.xdty.org/fullchain.pem. Your
cert will expire on 2016-03-06. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
访问 https://lets-encrypt2.xdty.org https://lets-encrypt3.xdty.org 检查多域名证书。注意,如果出现证书错误还是之前的单域名证书,多刷新两次,这个应该是浏览器的缓存。
检查证书详情中的”certificate subject alternative name”,可以看到内容变为了
DNS Name: lets-encrypt.xdty.org
DNS Name: lets-encrypt2.xdty.org
DNS Name: lets-encrypt3.xdty.org
Tags: https Let's encrypt nginx ssl 多域名证书 证书
评论:11