企业🤖AI智能体构建引擎,智能编排和调试,一键部署,支持私有化部署方案 广告
# Certbot-免费的https证书 ### 获取SSL证书 理论上,我们自己也可以手动制作一个 SSL 安全证书,但是我们自己签发的安全证书浏览器信任,所以我们需要被信任的证书授权中心( CA )签发的安全证书。而一般的 SSL 安全证书签发服务都需要付费,且价格昂贵,不过为了加快推广 https 的普及, EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG ( Internet Security Research Group ),这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。这个免费证书不仅免费,而且还相当好用,所以我们就可以利用 Let’s Encrypt 提供的免费证书部署 https 了。 ### Let’s Encrypt Let’s Encrypt提供了免费的证书申请服务,同时也提供了官方客户端 [Certbot](https://certbot.eff.org/),打开首页,就可以得到官方的安装教程。官方教程给出了四种常用服务器和不同的Linux、Unix的安装使用方案,可以说是十分的贴心了。 ![](https://img.kancloud.cn/3f/d8/3fd8e81aedc9b518ec7151cafa4f4f02_883x571.png) 下面我将会介绍一个通用的安装方案: ##### 1.获取certbot-auto ~~~cpp wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ~~~ ##### 2.生成证书 生成证书前需要停下nginx ~~~undefined service nginx stop ~~~ ~~~cpp ./certbot-auto certonly ~~~ 根据提示,输入相关资料后,如打印类似以下内容,即可在/etc/letsencrypt/archive目录下得到证书文件。 如果不想一步一步走,也可以直接使用以下命令直接生成。注意xxx需要替换为自己的东西。 ~~~cpp ./certbot-auto certonly --standalone --email xxx@xxx.com --agree-tos -d xxx.com -d www.xxx.com ~~~ xxx@xxx.com 填邮箱 xxx.com 目录名称 www.xxx.com 这是域名 ![](https://img.kancloud.cn/57/b2/57b2a67350ba80f42135a6fcd16939fb_732x153.png) ![](https://img.kancloud.cn/58/84/588429666865a873c92c0b28a8310219_1344x550.png) ##### 3.配置证书 Nginx中配置SSL证书的配置文件参考如下: ~~~bash server { listen 443 ssl; server_name xxx.com; location / { # .... } ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem; } server { listen 80; server_name xxx.com; location / { # ... } #如果需要把http强制转换为https,需要配置以下内容 if ($host = xxx.com) { #最好不要,会导致数据表丢失,post数据丢失,回调数据丢失 return 301 https://$host$request_uri; } } ~~~ 配置完成后,启动Nginx,浏览器中查看效果。 ~~~undefined service nginx start ~~~ ~~~ ##### 以后执行这个,自动更新 service nginx stop certbot-auto renew service nginx start ~~~ Upgrading certbot-auto 1.3.0 to 1.5.0... Replacing certbot-auto... Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/xxx.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.xxxxx.com-0001.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.xxxxx.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for ifreshuk.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/www.xxxxx.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/xxxxxx.com/fullchain.pem expires on 2020-09-02 (skipped) /etc/letsencrypt/live/www.xxxxxx.com-0001/fullchain.pem expires on 2020-09-30 (skipped) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/www.xxxxxx.com/fullchain.pem (success) # 补充另外的一个网站申请:[https://freessl.cn/](https://freessl.cn/)