chevron-up bell reply instagram twitter2 feed3 finder search-25px-p0
暂无公告

免费SSL安全证书Let’s Encrypt安装使用教程(附Nginx/Apache配置)

2016-11-21

letsencrypt

Let's Encrypt是最近很火的一个免费SSL证书发行项目,Let's Encrypt是由ISRG提供的免费免费公益项目,自动化发行证书,但是证书只有90天的有效期。适合个人使用或者临时使用,不用再忍受自签发证书不受浏览器信赖的提示。前段时间一直是内测,现在已经开放了。本教程安装不需要停掉当前Web服务(Nginx/Apache),直接生成证书,废话不多说下面开始:

网上有很多版本的工具,经过我多方测试,在nginx下最便捷的方法就是使用一件脚本,此脚本我是从 https://www.freehao123.com/lets-encrypt/ 这里看到的,经过多次在不同系统上的测试可以快速一键配置成功。方法如下:

项目主页:

https://github.com/xdtianyu/scripts/tree/master/lets-encrypt

下载以下两文件或者复制代码自己上传:

letsencrypt

letsencrypt.sh

#!/bin/bash

# Usage: /etc/nginx/certs/letsencrypt.sh /etc/nginx/certs/letsencrypt.conf

CONFIG=$1
ACME_TINY="/tmp/acme_tiny.py"
DOMAIN_KEY=""

if [ -f "$CONFIG" ];then
. "$CONFIG"
DIRNAME=$(dirname "$CONFIG")
cd "$DIRNAME" || exit 1
else
echo "ERROR CONFIG."
exit 1
fi

KEY_PREFIX="${DOMAIN_KEY%%.*}"
DOMAIN_CRT="$KEY_PREFIX.crt"
DOMAIN_PEM="$KEY_PREFIX.pem"
DOMAIN_CSR="$KEY_PREFIX.csr"
DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt"

if [ ! -f "$ACCOUNT_KEY" ];then
echo "Generate account key..."
openssl genrsa 4096 > "$ACCOUNT_KEY"
fi

if [ ! -f "$DOMAIN_KEY" ];then
echo "Generate domain key..."
if [ "$ECC" = "TRUE" ];then
openssl ecparam -genkey -name secp256r1 | openssl ec -out "$DOMAIN_KEY"
else
openssl genrsa 2048 > "$DOMAIN_KEY"
fi
fi

echo "Generate CSR...$DOMAIN_CSR"

OPENSSL_CONF="/etc/ssl/openssl.cnf"

if [ ! -f "$OPENSSL_CONF" ];then
OPENSSL_CONF="/etc/pki/tls/openssl.cnf"
if [ ! -f "$OPENSSL_CONF" ];then
echo "Error, file openssl.cnf not found."
exit 1
fi
fi

openssl req -new -sha256 -key "$DOMAIN_KEY" -subj "/" -reqexts SAN -config <(cat $OPENSSL_CONF <(printf "[SAN]\nsubjectAltName=%s" "$DOMAINS")) > "$DOMAIN_CSR"

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py -O $ACME_TINY -o /dev/null

if [ -f "$DOMAIN_CRT" ];then
mv "$DOMAIN_CRT" "$DOMAIN_CRT-OLD-$(date +%y%m%d-%H%M%S)"
fi

DOMAIN_DIR="$DOMAIN_DIR/.well-known/acme-challenge/"
mkdir -p "$DOMAIN_DIR"

python $ACME_TINY --account-key "$ACCOUNT_KEY" --csr "$DOMAIN_CSR" --acme-dir "$DOMAIN_DIR" > "$DOMAIN_CRT"

if [ "$?" != 0 ];then
exit 1
fi

if [ ! -f "lets-encrypt-x3-cross-signed.pem" ];then
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -o /dev/null
fi

cat "$DOMAIN_CRT" lets-encrypt-x3-cross-signed.pem > "$DOMAIN_CHAINED_CRT"

if [ "$LIGHTTPD" = "TRUE" ];then
cat "$DOMAIN_KEY" "$DOMAIN_CRT" > "$DOMAIN_PEM"
echo -e "\e[01;32mNew pem: $DOMAIN_PEM has been generated\e[0m"
fi

echo -e "\e[01;32mNew cert: $DOMAIN_CHAINED_CRT has been generated\e[0m"

#service nginx reload

letsencrypt.conf(此处按照下面提示根据自己情况修改))

# only modify the values, key files will be generated automaticly.
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="自定义.key"
DOMAIN_DIR="/home/wwwroot/目录"
DOMAINS="DNS:域名1,DNS:域名2"
#ECC=TRUE
#LIGHTTPD=TRUE

给予letsencrypt.sh运行权限

因为默认LNMP的虚拟主机里是禁止 . 开头的隐藏文件及目录的,所以访问http://abc.com/.well-known/acme-challenge/**** 这个链接的话返回403错误,所以必须要将对应虚拟主机配置文件里的
location ~ /\.
{
deny all;
}
这段配置删掉或注释掉或在这段配置前面加上
location ~ /.well-known {
allow all;
}

以上配置代码,然后重启nginx。

运行:

路径/letsencrypt.sh 路径/letsencrypt.conf

搞定

mrluo

发表评论