通过certbot 生成域名的ssl证书

# 网站https
通过certbot工具 配置免费ssl证书，并应用到网站  
[也是letsencrypt官网推荐的工具哦](https://letsencrypt.org/zh-cn/getting-started/)
当然此类工具还是有不少的

## 配置证书
### 安装certbot
yum install certbot -y

### 测试是否安装正确
[root@VM_0_17_centos ~]# certbot  
如果运行正常，将出现类似下面的提示。
```
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
```
### 在相应的域名服务商的创建SecretId
配置到au.sh中，目前只支持腾讯云、阿里云、godaddy
相应的id、key的生成请参考  
- [aly](https://help.aliyun.com/knowledge_detail/38738.html)  
- [txy](https://console.cloud.tencent.com/cam/capi)  
- [godaddy](https://developer.godaddy.com/getstarted)

### 下载sdk工具
```
[root@VM_0_17_centos certbot-letencrypt-wildcardcertificates-alydns-au]# cd /opt && \
git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au && \
cd certbot-letencrypt-wildcardcertificates-alydns-au
```

### 修改 au.sh脚本
```
#填写阿里云的AccessKey ID及AccessKey Secret
#如何申请见https://help.aliyun.com/knowledge_detail/38738.html
ALY_KEY=""
ALY_TOKEN=""

#填写腾讯云的SecretId及SecretKey
#如何申请见https://console.cloud.tencent.com/cam/capi
TXY_KEY=""
TXY_TOKEN=""

#GoDaddy的SecretId及SecretKey
#如何申请见https://developer.godaddy.com/getstarted
GODADDY_KEY=""
GODADDY_TOKEN=""
```

### 执行安装通配符证书
```
[root@VM_0_17_centos certbot-letencrypt-wildcardcertificates-alydns-au]# certbot certonly --manual --preferred-challenges dns --manual-auth-hook "/opt/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy add" --manual-cleanup-hook "/opt/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy clean" --email zh2774723@163.com -d xuanjiazixun.com -d *.xuanjiazixun.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xuanjiazixun.com
dns-01 challenge for xuanjiazixun.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Running manual-auth-hook command: /opt/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy add
Running manual-auth-hook command: /opt/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy add
Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: /opt/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy clean
Running manual-cleanup-hook command: /opt/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy clean

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xuanjiazixun.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xuanjiazixun.com/privkey.pem
   Your cert will expire on 2020-01-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

```

### 自动更新

crontab -e 中加入
```
0 23 28 * * root certbot renew --quiet --manual --preferred-challenges dns --manual-auth-hook "/opt/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy add" --manual-cleanup-hook "/opt/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy clean" --deploy-hook "systemctl restart nginx | systemctl restart strongswan"
```
## 应用到网站
### 以nginx为例
```
[root@VM_0_17_centos ~]# cat /etc/nginx/conf.d/xuanjia.conf
#设置非安全连接永久跳转到安全连接
server{
    listen 80;
    server_name www.xuanjiazixun.com xuanjiazixun.com *.www.xuanjiazixun.com;
    #告诉浏览器有效期内只准用 https 访问
    add_header Strict-Transport-Security max-age=15768000;
    #永久重定向到 https 站点
    return 301 https://$server_name$request_uri;
}
server {
    #启用 https, 使用 http/2 协议, nginx 1.9.11 启用 http/2 会有bug, 已在 1.9.12 版本中修复.
    listen 443 ssl http2;
    server_name www.xuanjiazixun.com xuanjiazixun.com *.www.xuanjiazixun.com;
    #告诉浏览器当前页面禁止被frame
    add_header X-Frame-Options DENY;
    #告诉浏览器不要猜测mime类型
    add_header X-Content-Type-Options nosniff;
    root /data/xuanjiazixun;

#证书路径
    ssl_certificate /etc/letsencrypt/live/xuanjiazixun.com/fullchain.pem;
    #私钥路径
    ssl_certificate_key /etc/letsencrypt/live/xuanjiazixun.com/privkey.pem;
    #安全链接可选的加密协议
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #可选的加密算法,顺序很重要,越靠前的优先级越高.
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
    #在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.
    ssl_prefer_server_ciphers on;
    #储存SSL会话的缓存类型和大小
    ssl_session_cache shared:SSL:10m;
    #缓存有效期
    ssl_session_timeout 60m;

#省略后面与证书无关的设置
    error_page 404 /404.html;
        location = /40x.html {
    }

error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }

}
    
```

导航

最近发表

友情链接