# git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt/二、域名认证
# ./letsencrypt-auto --debug certonly --webroot --email garany@qq.com -d ssl.junc.wang -w /var/www/wordpress/
说明:
--webroot 用web服务根目录方式认证
./letsencrypt-auto --debug certonly --email you.email --webroot -w /var/www/example -d example.com -w /var/www/thing -d thing.net -d m.thing.net--apache web服务是apache的使用
./letsencrypt-auto --debug certonly --email you.email --apache example.com --apache-le-vhost-ext /etc/httpd/conf.d/ssl.conf
--standalone web服务是nginx或其他
./letsencrypt-auto --debug certonly --email you.email --standalone -d example.com -d other.example.net
--email 指定邮箱,否则在弹出的对话框里填写
-d 指定要绑定的域名
-w 指定网站根目录
三、判断执行结果(输出为0则表示成功)
# echo $?说明:
生成的证书在/etc/letsencrypt/live/ssl.junc.wang/四、修改nginx vhost
cert.pem 服务端证书
chain.pem 浏览器需要的所有证书但不包括服务端证书,比如根证书和中间证书
fullchain.pem 包括了cert.pem和chain.pem的内容
privkey.pem 证书的私钥
# vim /usr/local/nginx/conf/vhost/ssl.junc.wang.conf
server {五、重启nginx
listen 80;
server_name ssl.junc.wang;
rewrite ^ https://$server_name$request_uri permanent;
}
server {
listen 443 ssl;
server_name ssl.junc.wang;
index index.html index.htm index.php;
root /var/www/wordpress/;
ssl_certificate /etc/letsencrypt/live/ssl.junc.wang/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ssl.junc.wang/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name;
}
}
# /etc/init.d/nginx restart六、更新证书
说明:
由于Let’s Encrypt证书有效期为3个月,到期后可通过renew更新,但必须是临近到期才会更新成功。因此,添加定时任务更新证书
# crontab -e
0 3 */89 * * /root/.local/share/letsencrypt/bin/letsencrypt renew
# service crond restart
我来说说