逆向行驶 最爱的最残酷、最美的最虚无
Google、Cisco、Akamai、Mozilla、IdenTrust、苹果、微软等等的公司合推的非营利、开源、免费SSL认证的网路认证发放机构Let’s Encrypt从去年秋季开始发放免费但限期3个月SSL签证(可无限续期)之后,陆续已经超过有3百多万个网站使用,我也顺便这两天玩了一下,简单做个记录。 ?
1.安装Bc、git、EPEL来源
yum -y install git bc epel-release
2-1.git方式下载Let’s Encrypt(推荐)
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
2-2.一般方式下载Let’s Encrypt
|
1 2 3 4 5 |
cd /opt/ wget https://github.com/letsencrypt/letsencrypt/archive/v0.5.0.tar.gz tar xf v*.tar.gz -C /opt/ mv letsencrypt-* letsencrypt cd /opt/letsencrypt |
3.以Diffie-Hellman(迪菲-赫尔曼)交换演算法产生密钥
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
4.申请Let’s Encrypt认证,请注意修改以下三项:
admin@guess.za.net = 修改成使用中的信箱
guess.za.net = 修改成要申请的域名
/home/wwwroot/default/ = 修改成主机的网页根目录
mkdir -p /home/wwwroot/guess.za.net/.well-known/acme-challenge
cd /opt/letsencrypt
./letsencrypt-auto certonly --email admin@guess.za.net -d "guess.za.net" --webroot -w /home/wwwroot/guess.za.net/ --agree-tos
成功后会产生三个档案,位置分别是:
/etc/ssl/certs/dhparam.pem
/etc/letsencrypt/live/guess.za.net/fullchain.pem
/etc/letsencrypt/live/guess.za.net/privkey.pem
5.设定NGiNX档案,在server区段内新增
※请注意修改成实际产生的位置※
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
listen 443 ssl; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_certificate /etc/letsencrypt/live/guess.za.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/guess.za.net/privkey.pem; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; |
设定完毕后先用此指令测试设定档有无出错
nginx -t
确认没问题之后才重启NGiNX,然后前往ssllabs.com检查SSL认证状态
nginx -s reload
ps ax | grep nginx
netstat -atunp | grep nginx
6.新增Let’s Encrypt的设定档来自动更新SSL
※请注意修改成使用中的信箱、要申请的域名、主机的网页根目录※
|
1 2 3 |
mkdir -p /var/log/letsencrypt/ mkdir -p /etc/letsencrypt/configs cat >> /etc/letsencrypt/configs/guess.za.net.conf < |
7.新增自动更新SSL认证的SH档案,内容如下:
※请注意修改成实际设定档的位置※
vi /root/renew-letsencrypt.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
#!/bin/sh cd /opt/letsencrypt/ ./letsencrypt-auto certonly --config /etc/letsencrypt/configs/111.net.conf --agree-tos --renew-by-default ./letsencrypt-auto certonly --config /etc/letsencrypt/configs/222.net.conf --agree-tos --renew-by-default ./letsencrypt-auto certonly --config /etc/letsencrypt/configs/333.net.conf --agree-tos --renew-by-default if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Let's Encrypt cert has not been renewed! \n \n" \ $ERRORLOG else nginx -s reload fi exit 0 |
记得给权限唷 ?
chmod +x /root/renew-letsencrypt.sh
8.设定自动排程,每月1号自动更新SSL认证
crontab -e
@monthly cd /opt/letsencrypt && git pull
@monthly /root/renew-letsencrypt.sh
http://letsencrypt.readthedocs.org/en/latest/using.html
https://www.godaddy.com/help/install-a-lets-encrypt-ssl-nginx-20246
https://codex.wordpress.org/Nginx
https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
列印本文
