最近突然想把自己的博客弄成HTTPS,也不是为了加强安全,只是喜欢折腾,而且感觉加个绿色小锁酷酷的。
HTTPS免费证书颁发机构有startSSL和letsencrypt,我使用的是letsencrypt。
通过脚本安装certbot-auto:
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
需要python版本是2.6的
1. 创建配置文件
/etc/letsencrypt/configs/wuyanxin.com.conf
# the domain we want to get the cert for; # technically it's possible to have multiple of this lines, but it only worked # with one domain for me, another one only got one cert, so I would recommend # separate config files per domain. domains = wuyanxin.com # increase key size rsa-key-size = 2048 # Or 4096 # the current closed beta (as of 2015-Nov-07) is using this server server = https://acme-v01.api.letsencrypt.org/directory # this address will receive renewal reminders email = your-email # turn off the ncurses UI, we want this to be run as a cronjob text = True # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) # and then letting LE fetch it authenticator = webroot webroot-path = /data/www/wuyanxin.com/
2. 配置nginx,让Let’s Encrypt可以访问到临时文件
加上这个location到你的nginx配置中
server {
listen 80 default_server;
server_name wuyanxin.com;
location /.well-known/acme-challenge {
root /data/www/wuyanxin.com;
}
...
}
验证配置,重启nginx
sudo nginx -t && sudo nginx -s reload
3. 请求证书
./certbot-auto --config /etc/letsencrypt/configs/wuyanxin.com.conf certonly
4. 配置nginx 443端口指向证书
server {
listen 443 ssl default_server;
server_name wuyanxin.com;
ssl_certificate /etc/letsencrypt/live/wuyanxin.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wuyanxin.com/privkey.pem;
...
}
配置http跳转到https
server {
listen 80;
server_name wuyanxin.com;
return 301 https://$server_name$request_uri;
}
重启Nginx
sudo nginx -t && sudo nginx -s reload
自动刷新证书
Let’s encrypt 的证书有效期是90天,所以我们应该在过期之前刷新证书。
准备如下脚本,保存到renew_letsencrypt.sh
#!/bin/sh
cd /opt/letsencrypt/
./certbot certonly --config /etc/letsencrypt/configs/my-domain.conf
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
$ERRORLOG
else
nginx -s reload
fi
exit 0如果/var/log/letsencrypt/不存在就先创建
允许crontab -e设置每两个月刷新一次
0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh
https://segmentfault.com/a/1190000007467737