Certbot-auto無料SSL証明書HTTPSを実現
4199 ワード
一、Certbot-autoクライアントのダウンロード
二、nginxの配置
nginxサーバの再起動
三、ssl証明書の生成
四、nginxの構成を継続する
五、証明書の更新関連
1、証明書の有効期限、有効期限の表示
2、更新
wget https://dl.eff.org/certbot-auto #
chmod a+x certbot-auto #
./certbot-auto --help #
二、nginxの配置
server
{
listen 80;
server_name xxx.com www.xxx.com;
index index.php index.html index.htm;
root /www/wwwroot/xxx.com;
# SSL
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /home/wwwroot/linuxstory.org/;
}
location = /.well-known/acme-challenge/ {
return 404;
}
access_log /www/wwwlogs/xxx.com.log;
error_log /www/wwwlogs/xxx.com.error.log;
}
nginxサーバの再起動
./usr/local/nginx/sbin/nginx -s reload
三、ssl証明書の生成
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /www/wwwroot/xxx.com -d www.xxx.com
./certbot-auto certonly --email [ ] --agree-tos --no-eff-email --webroot -w [ ] -d [ ]
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.xxx.com/fullchain.pem #
Your key file has been saved at:
/etc/letsencrypt/live/www.xxx.com/privkey.pem #
Your cert will expire on 2019-08-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
四、nginxの構成を継続する
server{
listen 80;
server_name xxx.com www.xxx.com;
return 301 https://www.xxx.com$request_uri;
}
server
{
listen 443 ssl http2;
server_name xxx.com www.xxx.com;
index index.php index.html index.htm;
root /www/wwwroot/xxx.com;
ssl_certificate /etc/letsencrypt/live/www.xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.xxx.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.xxx.com/chain.pem;
#
location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
{
return 404;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
error_log off;
access_log /dev/null;
}
location ~ .*\.(js|css)?$
{
expires 12h;
error_log off;
access_log /dev/null;
}
access_log /www/wwwlogs/xxx.com.log;
error_log /www/wwwlogs/xxx.com.error.log;
}
五、証明書の更新関連
1、証明書の有効期限、有効期限の表示
./certbot-auto certificates
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: www.xxx.com
Domains: www.xxx.com
Expiry Date: 2019-08-14 06:33:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.xxx.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.xxx.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
openssl x509 -noout -dates -in /etc/letsencrypt/live/www.xxx.com/cert.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notBefore=May 16 06:33:04 2019 GMT
notAfter=Aug 14 06:33:04 2019 GMT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2、更新
#
./certbot-auto renew --dry-run
# ,
certbot renew --quiet
#
./certbot-auto renew -v
#
./certbot-auto renew --quiet --no-self-upgrade
#
crontab -e
0 4 1 */2 * /usr/bin/certbot-auto renew --quiet # 4