官方网站:https://letsencrypt.org/
github地址:https://github.com/letsencrypt
简介:Let’s Encrypt是国外一个公共的免费SSL项目,由 Linux 基金会托管,它的来头不小,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,目的就是向网站自动签发和管理免费证书,以便加速互联网由HTTP过渡到HTTPS。
环境需求:需要支持git以及python 2.6.6以上的版本,dns请配置成google的8.8.8.8以免不必要的错误产生
我使用的系统是centos 6.7,所以本篇文章以centos6.7为例子
#安装git工具
yum -y install git-core
#安装letsencrypt及获取ssl
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly --standalone --email $email -d espnlol.com -d www.espnlol.com
#如果未安装python会自动安装python及各个扩展,安装完毕之后开始生成证书
Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for espnlol.com tls-sni-01 challenge for www.espnlol.com
#证书会生成在/etc/letsencrypt/archive/espnlol.com下
#配置nginx并重启,再打开网页就会发现认证成功了
ssl_certificate ssl/fullchain.pem; ssl_certificate_key ssl/privkey.pem;
#解决生成证书过期问题,由于证书90天过期需要续期,这是就需要手动续期了
./letsencrypt-auto certonly --renew-by-default --standalone --email $email -d espnlol.com -d www.espnlol.com
##############通配符证书申请##########################
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.espnlol.com" --manual --preferred-challenges dns-01 certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for espnlol.com ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.dh-espnlol.com with the following value: qwp5IiPcEumoRBsD3-Nnh0HTwscTyBofHRQxNj79x5Q Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue
#这时先别着急确认,去域名解析平台做一个txt记录,这个记录必须要能被解析到才行,保险起见使用8.8.8.8,做完解析用dig确认一下,dig -t txt _acme-challenge.espnlol.com @8.8.8.8
#确认成功之后点击确认即可完成泛域名的申请
#泛域名一般是3个月到期,这时候需要续期,这里也提供了很友好的命令,期限不满30天的证书会自动更新
./certbot-auto renew –renew-by-default https://acme-v02.api.letsencrypt.org/directory -d “*.espnlol.com” –manual –preferred-challenges dns-01 certonly