Lets Encrypt 最近很火的免费SSL 使用教程

时间:2023-01-08 19:22:29

2015年10月份,微博上偶然看到Let’s Encrypt 推出了beta版,作为一个曾经被https虐出血的码农来说,这无疑是一个重磅消息。并且在全站Https的大趋势下,Let’s Encrypt 脱颖而出,无疑会对传统SSL证书提供商造成不小的打击,并将Https的应用和推广上升到一个空前火热的阶段。

Let’s Encrypt是由ISRG(Internet Security Research Group)提供的免费SSL项目,现由Linux基金会托管,他的来头很大,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,现在已经得到Google、Facebook等大公司的支持和赞助,目的就是向网站免费签发和管理证书,并且通过其自身的自动化过程,消除了购买、安装证书的复杂性,只需几行命令,就可以完成证书的生成并投入使用,甚至十几分钟就可以让自己的http站点华丽转变成Https站点。

下面从实战的角度,为大家详细地介绍Let’s Encrypt的使用过程
安装Let’s Encrypt
1.登录linux服务器

 git clone https://github.com/letsencrypt/letsencrypt

提示:

1)、如果提示git命令无效的话,需要安装一下GIt,直接执行命令 yum install git-all 完成安装
2)、如果是RedHat/CentOs6系统的话,需要提前安装EPEL(Extra Packages for Enterprise Linux),执行命令 yum install epel-release
3)、 整个过程需要主机连接外网,否则会导致报以下错误IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: on-img.com
Type: urn:acme:error:connection
Detail: Failed to connect to host for DVSNI challenge
Domain: www.on-img.com
Type: urn:acme:error:connection
Detail: Failed to connect to host for DVSNI challe

提示:需要关闭防火墙。执行命令:service iptables stop

2.下载完成之后,执行 ls 命令会看到当前目录下多了一个letsencrypt目录, 进入这个目录:

cd letsencrypt

3.准备安装,执行如下命令:

./letsencrypt-auto

接下来提示输入域名 多个用空格隔开
Lets Encrypt 最近很火的免费SSL 使用教程
Lets Encrypt 最近很火的免费SSL 使用教程
Congratulations!说明证书生成OK。
证书保存路径: /etc/letsencrypt/live/on-img.com/下,on-img.com换成自己的域名即可。

第二阶段:使用证书
apache下,修改ssl.conf文件

<VirtualHost _default_s:443>
DocumentRoot "/var/www/html"
ServerName www.yourdomains.com:443
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/factorydirectsale.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/factorydirectsale.de/privkey.pem
</VirtualHost>

重点是指定2个地址。然后重启apache。

另:
还可以用另外的方式生成证书:

./letsencrypt-auto certonly --email 邮箱 -d 域名 --webroot -w /网站目录完整路径 --agree-tos

如果多个域名可以加多个-d 域名,注意替换上面的邮箱、域名和网站目录,注意这里的网站目录完整路径只是你单纯的网站目录也就是虚拟主机配置文件里的,如Nginx虚拟主机配置里的root,Apache虚拟主机配置里的DocumentRoot。

更多可以查看:http://www.vpser.net/build/letsencrypt-free-ssl.html

nginx如何配置?
nginx.conf

user  nginx;
worker_processes 2;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;


events {
worker_connections 1024;
}


http {

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;

include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#Compression Settings
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_proxied any;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Some version of IE 6 don't handle compression well on some mime-types,
# so just disable for them
gzip_disable "MSIE [1-6].(?!.*SV1)";
# Set a vary header so downstream proxies don't send cached gzipped
# content to IE6
gzip_vary on;
#end gzip

include /etc/nginx/conf.d/*.conf;

server {
listen 80;
listen 443 ssl;
server_name www.kitchenunion.com;
index index.html index.htm index.php;
root /var/www/html;

ssl on;
ssl_certificate /etc/letsencrypt/live/www.kitchenunion.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.kitchenunion.com/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?s=$1 last;
}


location ~ \.php(.*)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;
}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 1h;
}
}
}