Let’s Encrypt 宣称这一过程将十分简单、自动化并且免费。
2015年8月7日,该服务更新其推出计划,预计将在2015年9月7日当周某时发布首个证书,随后向列入白名单的域名发行少量证书并逐渐扩大发行。若一切按计划进行,该服务预计将在2015年11月16日当周某时全面开始提供。
首先下载Let’s Encrypt Client
$sudoapt-getupdate
$sudoapt-getinstall-ygit
$cd/opt/letsencrypt
$sudo./letsencrypt-auto
为Let’s Encrypt Temporary File创建一个模板
我们在webroot-path/.well-known/acme-challenge/通过Let’s Encrypt client创建一个临时文件包含了使用Encrypt server验证你域名去获得验证的token 。
1.创建Let’s Encrypt保存临时文件的目录和指定需要的权限:
$mkdirletsencrypt
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains=my-domain
# increase key size
rsa-key-size=2048# Or 4096
# the current closed beta (as of 2015-Nov-07) is using this server
# this address will receive renewal reminders
email=my-email
# turn off the ncurses UI, we want this to be run as a cronjob
text=True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator=webroot
让Let’s Encrypt去访问临时文件
1.在Nginx 中配置一个虚拟server
server{
listen80default_server;
server_namemy-domain;
location/.well-known/acme-challenge{
}
...
}
2.验证配置文件然后重新启动Nginx
$sudonginx-t&&sudonginx-sreload
请求证书
通过上面的步骤我们万事俱备了,我们可以请求证书了。
$cd/opt/letsencrypt
$./letsencrypt-auto--config/etc/letsencrypt/configs/my-domain.confcertonly
Updatingletsencryptandvirtualenvironmentdependencies......
Requestingrootprivilegestorunwithvirtualenv:/root/.local/share/letsencrypt/bin/letsencrypt--config/etc/letsencrypt/configs/my-domain.confcertonly
IMPORTANTNOTES:
-Congratulations!Yourcertificateandchainhavebeensavedat
/etc/letsencrypt/live/my-domain/fullchain.pem.Yourcert
willexpireondate.Toobtainanewversionofthe
certificateinthefuture,simplyrunLet'sEncryptagain.
Nginx加载证书
1.在Nginx的配置文件中添加下面内容(这里默认你是会配置Nginx)
server{
listen443ssldefault_server;
server_namemy-domain;
ssl_certificate/etc/letsencrypt/live/my-domain/fullchain.pem;
ssl_certificate_key/etc/letsencrypt/live/my-domain/privkey.pem;
...
}
2.重新启动Nginx,Nginx每修改一次配置文件都需要通过重启加载新的配置
1
$sudonginx-t&&sudonginx-sreload
自动申请Let’s Encrypt Certificates的有效期
Let’s Encrypt certificates的免费使用时间只有90天,时间到了之后我们就需要重新续签就像签证一样。可能你会忘记。然而我们可以通过cron 这个程序来帮助我们完成自动操作
1.我们可以创建一个shell 脚本
#!/bin/sh
cd/opt/letsencrypt/
./letsencrypt-auto--config/etc/letsencrypt/configs/my-domain.confcertonly
if[$?-ne0]
then
ERRORLOG=`tail/var/log/letsencrypt/letsencrypt.log`
echo-e"The Let's Encrypt cert has not been renewed! \n \n"\
$ERRORLOG
else
nginx-sreload
fi
exit0
2.创建一个/var/log/letsencrypt/目录
3.运行crontab-e 让我们写的脚本程序每2个月执行一次
001JAN,MAR,MAY,JUL,SEP,NOV */path/to/renew-letsencrypt.sh