简单5步 配置letsencrypt免费SSL


cd /root
1.下载letsencrypt配置文件和执行包
下载脚本文件

wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh

给予脚本755权限
chmod +x letsencrypt.sh

2.配置letsencrypt.conf文件

vi letsencrypt.conf

# only modify the values, key files will be generated automaticly.
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="javaer.com.key"
DOMAIN_DIR="/www/javaer"
DOMAINS="DNS:java-er.com"
#ECC=TRUE
#LIGHTTPD=TRUE

:wq! 保存

3.执行脚本生成需要的key文件

./letsencrypt.sh letsencrypt.conf

Generate account key…
Generating RSA private key, 4096 bit long modulus
…………….++
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….++
e is 65537 (0×10001)
Generate domain key…
Generating RSA private key, 2048 bit long modulus
……………………………………………………….+++
…………………..+++
e is 65537 (0×10001)
Generate CSR…java-er.csr
Parsing account key…
Parsing CSR…
Registering account…
Already registered!
Verifying java-er.com…
java-er.com verified!
Signing certificate…
Certificate signed!
New cert: javaer.chained.crt has been generated //看到这个说明获取证书成功

生成的文件列表

-rw-r–r– 1 root root 1675 Sep 26 15:14 intermediate.pem
-rw-r–r– 1 root root 3243 Sep 26 11:55 javaer-account.key
-rw-r–r– 1 root root 3432 Sep 26 12:03 java-er.chained.crt
-rw-r–r– 1 root root 1679 Sep 26 11:55 java-er.com.key
-rw-r–r– 1 root root 1785 Sep 26 12:03 java-er.crt
-rw-r–r– 1 root root 920 Sep 26 12:03 java-er.csr
-rw-r–r– 1 root root 216 Sep 26 12:03 letsencrypt.conf
-rwxr-xr-x 1 root root 2170 Sep 26 11:53 letsencrypt.sh
-rw-r–r– 1 root root 1647 Nov 17 2016 lets-encrypt-x3-cross-signed.pem

合成完整的证书链条
命令行执行

wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat /root/java-er.crt intermediate.pem > /root/fullchain.pem
 SSLCertificateChainFile "/root/fullchain.pem"

得到一个新文件
-rw-r–r– 1 root root 3322 Sep 26 15:16 fullchain.pem

4.配置服务器以下linux centos6.4下lampp配置

cd /opt/lampp/etc/extra
vi http-vhost.conf
NameVirtualHost *:80
 
<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot /www/javaer.com
    ServerName java-er.com
    ErrorLog logs/javaer.com-error_log
    CustomLog logs/javaer.com-access_log common
    RewriteEngine on
    RewriteCond   %{HTTPS} !=on
    RewriteRule   ^(.*)  https://%{SERVER_NAME}$1 [L,R]
 
</VirtualHost>

保留80端口的访问权限,但是我们做一次跳转

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]

强制http的跳转到https

还有个办法是写自己的.htaccess

  RewriteEngine on
    RewriteBase / 
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^.* https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

这里才是https配置

<VirtualHost *:443>
    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot /www/javaer.com
    ServerName java-er.com
    SSLEngine on
    SSLCertificateFile "/root/java-er.crt"
    SSLCertificateKeyFile "/root/java-er.com.key"
    SSLCertificateChainFile "/root/fullchain.pem"
    ErrorLog logs/javaer.com-error_log
    CustomLog logs/javaer.com-access_log common
</VirtualHost>

SSLCertificateChainFile “/root/fullchain.pem” 如果没有这个在chrome和firefox里显示正常,都是绿色锁,但是小米手机的浏览器提示证书来自不受信任的机构。

加了这个就都好了。

nignx配置

server {
        listen  443;
		ssl on;
		ssl_certificate /root/java.chained.crt;
		ssl_certificate_key /root/java-er.com.key;
		server_name java-er.com;
        index index.html index.htm index.php;
       root /www/javaer.com;
       ...省略部分...
}
server {
listen 80;
rewrite ^(.*) https://java-er.com$1 permanent;  //强制80转向443
}

5.查看自己的网站

6.自动续期
免费的这家是3个月失效

以下脚本每个月执行一次 写到系统crontab里,自动续签。

0 0 1 * * /root/letsencrypt.sh /root/letsencrypt.conf >> /root/log/lets-encrypt.log 2 > &1

额外的要点:

网站里不能包含任何非https的资源比如加载了sina的jquery http://sina.com/jquery.js

引入了51.la的统计(因为这个我不得放弃了51.la)听说百度免费的统计是https,得换了。

如果你是一名技术人员可加我QQ 2651-0442-02,如果你是java技术人还可以加入QQ群 1784-9136-0
你将得到的不仅仅是技术的交流,还有职业机会,人生解惑.
首发地址:月小升博客https://java-er.com/blog/ssl-letsencrypt-free-5-setps/
无特殊说明,文章均为月小升原创,欢迎转载,转载请注明本文地址,谢谢
此条目发表在 Linux 分类目录,贴了 , , 标签。将固定链接加入收藏夹。
既然来了,就评论一下,不会怀孕的

发表评论

电子邮件地址不会被公开。 必填项已用 * 标注

*

您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">