CentOS 6、7,先执行:

yum install epel-release
cd /root/
wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

单域名生成证书:

./certbot-auto certonly --email jollyfon@gmail.com --agree-tos --no-eff-email --webroot -w /home/wwwroot/wanai.unetu.net -d wanai.unetu.net

安装成功返回

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wanai.unetu.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wanai.unetu.net/privkey.pem
   Your cert will expire on 2019-01-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

多域名单目录生成单证书:(即一个网站多个域名使用同一个证书)

./certbot-auto certonly --email jollyfon@gmail.com --agree-tos --no-eff-email --webroot -w /home/wwwroot/wanai.unetu.net -d wanai.unetu.net www.unetu.net

多域名多目录生成一个证书:(即一次生成多个域名的一个证书)

./certbot-auto certonly --email jollyfon@gmail.com --agree-tos --no-eff-email --webroot -w /home/wwwroot/wanai.unetu.net -d wanai.unetu.net www.unetu.net -w /home/wwwroot/wanaioa.unetu.net -d wanaioa.unetu.net -d unetu.net

安装完成后证书文件位置

/etc/letsencrypt/live

有四个文件

/etc/letsencrypt/live/wanai.unetu.net/cert.pem
/etc/letsencrypt/live/wanai.unetu.net/chain.pem
/etc/letsencrypt/live/wanai.unetu.net/fullchain.pem
/etc/letsencrypt/live/wanai.unetu.net/privkey.pem

Nginx 配置

listen 443 ssl;   
server_name wanai.unetu.net;     
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/wanai.unetu.net;          
ssl_certificate /etc/letsencrypt/live/wanai.unetu.net/fullchain.pem;    #前面生成的证书,改一下里面的域名就行
ssl_certificate_key /etc/letsencrypt/live/wanai.unetu.net/privkey.pem;   #前面生成的密钥,改一下里面的域名就行
SSLCertificateChainFile /etc/letsencrypt/live/wanai.unetu.net/chain.pem; #Apache 2.2版本需要加入该中间证书,否则浏览器可能不信任
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

Let’s Encrypt 证书的有效期为 90 天,可自动续期

打开 crontab 

crontab -e

添加规则

0 3 */5 * * /root/certbot-auto renew --disable-hook-validation --renew-hook "/etc/init.d/nginx reload"

我的示例

server
    {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name wanai.unetu.net ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/wanai.unetu.net;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/wanai.unetu.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/wanai.unetu.net/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        include rewrite/codeigniter.conf;

        location  ~ [^/]\.php(/|$)
        {
            fastcgi_pass  127.0.0.1:9001; #注意此端口
            fastcgi_index index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;

        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/wanai.unetu.net.log;
    }

参考文献:

发表评论

电子邮件地址不会被公开。 必填项已用*标注