免费的https证书

从网景创建SSL协议到目前的TLS 3.0已经有24个年头了，随着互联网的迅猛发展，现在主流的公司也纷纷进行了全站https的改造。跟随这波热潮也尝试了下应用https/http2.0，这里介绍下如何使用Let’s Encrypt签发免费的证书。

生成Let’s Encrypt证书

talk is cheap,show me code:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone -d relottery.cn

命令执行完毕会出现提示：

MPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/relottery.cn/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/relottery.cn/privkey.pem
  Your cert will expire on 2018-04-18. To obtain a new or tweaked
  version of this certificate in the future, simply run
  letsencrypt-auto again. To non-interactively renew all of your
  certificates, run “letsencrypt-auto renew”

大功告成，在/etc/letsencrypt/live/relottery.cn/目录下会生成秘钥证书文件：

cert.pem - Apache服务器端证书
chain.pem - Apache根证书和中继证书
fullchain.pem - Nginx所需要ssl_certificate文件
privkey.pem - 安全证书KEY文件

这里我使用的nginx，所以我需要fullchain.pem和privkey.pem两个文件做如下配置：

ssl_certificate /etc/letsencrypt/live/relottery.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/relottery.cn/privkey.pem;

细心的同学会发现，上面提示我们证书是存在有效期的(90天)，如果过期再手动去执行太蠢了，show the code：

crontab -e 

30 2 * * 1 /home/app/letsencrypt/letsencrypt/letsencrypt-auto renew
35 2 * * 1 /home/app/openresty/nginx/sbin/nginx -s reload

done.

遇到的问题

/home/app/letsencrypt/letsencrypt/letsencrypt-auto renew
WARNING: unable to check for updates.
Creating virtual environment…
Installing Python packages…
Had a problem while installing Python packages.
pip prints the following errors:

Collecting argparse==1.4.0 (from -r /tmp/tmp.Xf3AdlgJol/letsencrypt-auto-requirements.txt (line 11))

Downloading http://mirrors.aliyun.com/pypi/packages/f2/94/3af39d34be01a24a6e65433d19e107099374224905f1e0cc6bbe1fd22a2f/argparse-1.4.0-py2.py3-none-any.whl

Downloading http://mirrors.aliyun.com/pypi/packages/fd/21/0c6f33829fadec8aca0c1ebb4d6f8101c05899356a58d1b2e506cb77cf18/letsencrypt-0.7.0-py2-none-any.whl

Collecting certbot==0.21.0 (from -r /tmp/tmp.Xf3AdlgJol/letsencrypt-auto-requirements.txt (line 206))

Could not find a version that satisfies the requirement certbot==0.21.0 (from -r /tmp/tmp.Xf3AdlgJol/letsencrypt-auto-requirements.txt (line 206)) (from versions: 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.20.0)
No matching distribution found for certbot==0.21.0 (from -r /tmp/tmp.Xf3AdlgJol/letsencrypt-auto-requirements.txt (line 206))

Certbot has problem setting up the virtual environment.
We were not be able to guess the right solution from your pip
output.
Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support resources at https://certbot.eff.org/support/ .

本来挺信任阿里云的pip源的 哎 果断换之：

~/.pip/pip.conf

[global]
index-url=https://pypi.tuna.tsinghua.edu.cn/simple
[install]
trusted-host=pypi.tuna.tsinghua.edu.cn

国内的pip镜像

阿里云 http://mirrors.aliyun.com/pypi/simple/
中国科技大学 https://pypi.mirrors.ustc.edu.cn/simple/
豆瓣(douban) http://pypi.douban.com/simple/
清华大学 https://pypi.tuna.tsinghua.edu.cn/simple/
中国科学技术大学 http://pypi.mirrors.ustc.edu.cn/simple/