Let’s Encrypt 免费SSL安全证书安装方法

Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.

Let’s Encrypt是一个免费SSL证书发行项目,是由ISRG提供的免费免费公益项目,自动化发行证书,但是证书只有90天的有效期。适合个人使用或者临时使用。

git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
# 创建验证目录
mkdir -p /home/wwwroot/站点目录/.well-known/acme-challenge 
# 生成证书  --agree-tos参数屏蔽该提示
./letsencrypt-auto certonly --email 邮箱 -d 域名 --webroot -w /网站目录完整路径 --agree-tos

Let’s Encrypt会检测系统安装依赖包,安装完后会有蓝色的让阅读TOS的提示,回车 稍等片刻就完成了。
生成证书后会有如下提示:

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to xxx@mengyixi.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/mengyixi.com/fullchain.pem. Your cert will
expire on 2016-03-07. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Nginx的设置,完整配置如下:

server
{
listen 443 ssl;   
server_name mengyixi.com www.mengyixi.com;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/;
# 默认生成的目录
ssl_certificate /etc/letsencrypt/live/mengyixi.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mengyixi.com/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

#error_page 404 /404.html;
location ~ [^/]\.php(/|$)
{
# comment try_files $uri =404; to enable pathinfo
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;  
}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

access_log off;
}

/etc/init.d/nginx reload # 重新载入nginx配置使其生效

证书续期

因为证书有效期为90天,所以需要定期续期,可以加个crontab定期更新:

cat >/data/cron/renew-ssl.sh<<EOF
#!/bin/bash
mkdir -p /网站目录完整路径/.well-known/acme-challenge
/user/local/letsencrypt目录/letsencrypt-auto --renew-by-default certonly --email 邮箱 -d 域名 --webroot -w /网站目录完整路径 --agree-tos
/etc/init.d/nginx reload
EOF

chmod +x /data/cron/renew-ssl.sh

在crontab里添加上:

0 4 */60 * * /root/renew-ssl.sh 

Reference
[1] https://letsencrypt.org/
[2] https://github.com/letsencrypt/letsencrypt.git
[3] http://www.vpser.net/build/letsencrypt-free-ssl.html

发表评论

  1. maple’s skysays

    已经放弃 Let’s Encrypt 转投免费 AlphaSSL 通配证了, 简单粗暴!