从网景创建SSL协议到目前的TLS 3.0已经有24个年头了,随着互联网的迅猛发展,现在主流的公司也纷纷进行了全站https的改造。跟随这波热潮也尝试了下应用https/http2.0,这里介绍下如何使用Let’s Encrypt签发免费的证书。
生成Let’s Encrypt证书
talk is cheap,show me code:1
2
3git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone -d relottery.cn
命令执行完毕会出现提示:
MPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/relottery.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/relottery.cn/privkey.pem
Your cert will expire on 2018-04-18. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew all of your
certificates, run “letsencrypt-auto renew”
大功告成,在/etc/letsencrypt/live/relottery.cn/
目录下会生成秘钥证书文件:1
2
3
4cert.pem - Apache服务器端证书
chain.pem - Apache根证书和中继证书
fullchain.pem - Nginx所需要ssl_certificate文件
privkey.pem - 安全证书KEY文件
这里我使用的nginx,所以我需要fullchain.pem
和privkey.pem
两个文件做如下配置:1
2ssl_certificate /etc/letsencrypt/live/relottery.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/relottery.cn/privkey.pem;
细心的同学会发现,上面提示我们证书是存在有效期的(90天),如果过期再手动去执行太蠢了,show the code:
1 | crontab -e |
done.
遇到的问题
/home/app/letsencrypt/letsencrypt/letsencrypt-auto renew
WARNING: unable to check for updates.
Creating virtual environment…
Installing Python packages…
Had a problem while installing Python packages.
pip prints the following errors:Collecting argparse==1.4.0 (from -r /tmp/tmp.Xf3AdlgJol/letsencrypt-auto-requirements.txt (line 11))
Collecting certbot==0.21.0 (from -r /tmp/tmp.Xf3AdlgJol/letsencrypt-auto-requirements.txt (line 206))
Could not find a version that satisfies the requirement certbot==0.21.0 (from -r /tmp/tmp.Xf3AdlgJol/letsencrypt-auto-requirements.txt (line 206)) (from versions: 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.20.0)
No matching distribution found for certbot==0.21.0 (from -r /tmp/tmp.Xf3AdlgJol/letsencrypt-auto-requirements.txt (line 206))Certbot has problem setting up the virtual environment.
We were not be able to guess the right solution from your pip
output.
Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support resources at https://certbot.eff.org/support/ .
本来挺信任阿里云的pip源的 哎 果断换之:1
2
3
4[global]
index-url=https://pypi.tuna.tsinghua.edu.cn/simple
[install]
trusted-host=pypi.tuna.tsinghua.edu.cn
国内的pip镜像
阿里云 http://mirrors.aliyun.com/pypi/simple/
中国科技大学 https://pypi.mirrors.ustc.edu.cn/simple/
豆瓣(douban) http://pypi.douban.com/simple/
清华大学 https://pypi.tuna.tsinghua.edu.cn/simple/
中国科学技术大学 http://pypi.mirrors.ustc.edu.cn/simple/