Certbot-auto無料SSL証明書HTTPSを実現

4199 ワード

一、Certbot-autoクライアントのダウンロード
wget https://dl.eff.org/certbot-auto   #  
chmod a+x  certbot-auto                #      
./certbot-auto --help                  #    

二、nginxの配置
server
{
    listen 80;
    server_name xxx.com www.xxx.com;
    index index.php index.html index.htm;
    root /www/wwwroot/xxx.com;

    #    SSL          
    location ^~ /.well-known/acme-challenge/ {
    	default_type "text/plain";
    	root     /home/wwwroot/linuxstory.org/;
    }
 
    location = /.well-known/acme-challenge/ {
    	return 404;
    }
    
    access_log  /www/wwwlogs/xxx.com.log;
    error_log  /www/wwwlogs/xxx.com.error.log;
}

nginxサーバの再起動
./usr/local/nginx/sbin/nginx -s reload

三、ssl証明書の生成
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /www/wwwroot/xxx.com  -d www.xxx.com
./certbot-auto certonly --email [  ] --agree-tos --no-eff-email --webroot -w [    ]  -d  [  ]

    
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.xxx.com/fullchain.pem          #    
   Your key file has been saved at:
   /etc/letsencrypt/live/www.xxx.com/privkey.pem            #    
   Your cert will expire on 2019-08-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


四、nginxの構成を継続する
server{
	listen 80;
    server_name xxx.com www.xxx.com;
    return 301 https://www.xxx.com$request_uri;
}
server
{
    listen 443 ssl http2;
    server_name xxx.com www.xxx.com;
    index index.php index.html index.htm;
    root /www/wwwroot/xxx.com;
    
    ssl_certificate /etc/letsencrypt/live/www.xxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.xxx.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/www.xxx.com/chain.pem;
    
    #          
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }
    
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires      30d;
        error_log off;
        access_log /dev/null;
    }
    
    location ~ .*\.(js|css)?$
    {
        expires      12h;
        error_log off;
        access_log /dev/null; 
    }
    access_log  /www/wwwlogs/xxx.com.log;
    error_log  /www/wwwlogs/xxx.com.error.log;
}

五、証明書の更新関連
1、証明書の有効期限、有効期限の表示
./certbot-auto certificates
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
    Certificate Name: www.xxx.com
    Domains: www.xxx.com
    Expiry Date: 2019-08-14 06:33:04+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.xxx.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.xxx.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

openssl x509 -noout -dates -in /etc/letsencrypt/live/www.xxx.com/cert.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notBefore=May 16 06:33:04 2019 GMT
notAfter=Aug 14 06:33:04 2019 GMT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2、更新
#     
./certbot-auto renew --dry-run

#           ,       
certbot renew --quiet

#    
./certbot-auto renew -v

#    
./certbot-auto renew --quiet --no-self-upgrade

#    
        crontab -e 
0 4 1 */2 *  /usr/bin/certbot-auto  renew --quiet    #         4