资讯专栏INFORMATION COLUMN

利用Certbot全自动安装Let's Encrypt安全证书,实现全站加密

Dionysus_go / 2467人阅读

摘要:使用的官方文档,可以选择系统,切换对应的使用方法,我选择的是安装安装过程中,若出现错误,可使用解决,注意后面的要替换为提示错误中的申请证书

Certbot使用的官方文档,可以选择系统,切换对应的使用方法,我选择的是Ubuntu16.04+Nginx

1、安装Cerbot
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 
安装过程中,若出现 W: GPG error: http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease: The following signatures couldn"t be verified because the public key is not available: NO_PUBKEY 4F4EA0AAE5267A6C 错误,可使用 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4F4EA0AAE5267A6C 解决,注意后面的key要替换为提示错误中的PUBKEY
2、申请证书
sudo certbot --nginx --nginx-server-root /etc/nginx/ -d xxx.j2do.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter "c" to
cancel): xxxxx@126.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let"s Encrypt project and the non-profit
organization that develops Certbot? We"d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ddy.j2do.com
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on [::]:80, ignored
Waiting for verification...
Cleaning up challenges
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on [::]:80, ignored
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/ddy
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on [::]:80, ignored

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you"re confident your site works on HTTPS. You can undo this
change by editing your web server"s configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press "c" to cancel): 1

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://ddy.j2do.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ddy.j2do.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxx.j2do.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxx.j2do.com/privkey.pem
   Your cert will expire on 2018-09-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let"s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
第一项必须是选择同意(A),第二项无所谓,是将记得邮件地址添加到EFF邮件列表中,发送一些邮件给你,可以选择否(N),这时候证书会自动生成,并根据你的域名,去查找nginx配置,自动修改nginx配置支持https,最后询问你,是否要将http的请求全部重置到https上,配置完成后告诉你一些信息,证书存放在/etc/letsencrypt位置
3、重启nignx即可
sudo service nginx restart
4、Let"s Encrypt推荐使用ACME v2证书,此证书支持通配符,使证书更容易管理,稍后补充申请方法 5、自动定时申请更新证书
无论如何要记得更新证书这个事情还是很麻烦,那么certbot提供了一个自动为所有证书重新申请的命令,而且它是智能的,只申请七天内到期的证书
#设置crontab命令
0 2 * * * certbot renew

文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。

转载请注明本文地址:https://www.ucloud.cn/yun/39990.html

相关文章

  • 通过 Certbot 安装 Let's Encrypt 证书,来实现全站的 HTTPS 访

    摘要:甚至和百度的搜索结果也正在给予的网站更高的排名和优先收录权。由于预设的解码器是,所以就不能识别中文。那理解了这个错误原因后,我这边首先想到的就是网站的配置文件中是否含有中文。打开一看,确实存在中文注释。 相关知识 HTTP/HTTPS 是什么? 简单来说,HTTP 是一个传输网页内容的协议,比如我们浏览一个网页,网页上的文字、图片、 CSS 、 JS 等文件都是通过 HTTP 协议传输...

    Lsnsh 评论0 收藏0
  • 在Amazon Linux 上使用 Let's encrypt 免费的SSL

    摘要:在上使用免费的如果你使用来做负载均衡,在上可以很方便的使用。提供期限为三个月的免费证书,到期之后需要,官方还提供自动的工具是一个自动申请和续期证书的工具。在官网可以找到各种和服务器下的安装方法。常见的和安装起来十分方便。 在Amazon Linux 上 使用 Lets encrypt 免费的SSL 如果你使用ELB来做负载均衡,在AWS上可以很方便的使用SSL。如果不使用ELB就需要自...

    coolpail 评论0 收藏0
  • 使用 Let's Encrypt 证书部署 HTTPS

    摘要:为了推广协议,电子前哨基金会成立了,提供免费证书。部署,包含申请域名部署应用,并开启服务。安装使用获取证书对于,使用的插件获取。 为了推广HTTPS协议,电子前哨基金会EFF成立了 Lets Encrypt,提供免费证书。 Lets Encrypt一个于2015年三季度推出的数字证书认证机构,将通过旨在消除当前手动创建和安装证书的复杂过程的自动化流程,为安全网站提供免费的SSL/TLS...

    he_xd 评论0 收藏0

发表评论

0条评论

Dionysus_go

|高级讲师

TA的文章

阅读更多
最新活动
阅读需要支付1元查看
<