免费 SSL 证书

Let's Encrypt is a free, automated, and open Certificate Authority.

步骤

准备

  • 一台服务器
  • 一个域名
  • 一个可访问的网站

下载 Certbot

Let’s Encrypt 是属于介绍性质的,而真正使用到的工具是 Certbot,使用前需要去官网下载。

这里以nginxcentos 6,域名以example.com为例。

cd /use/local/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

执行 Certbot

./certbot-auto

这里需要 Python 2.7 以上版本,详细参考fCentos 6.4 python 2.6 升级到 2.7

如果安装出现:

reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
    reading manifest template 'MANIFEST.in'
    no previously-included directories found matching 'docs/_build'
    warning: no previously-included files matching '*' found under directory 'vectors'
    writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
    running build_ext
    generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
    creating build/temp.linux-x86_64-2.7
    generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
    generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
    building '_openssl' extension
    creating build/temp.linux-x86_64-2.7/build
    creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
    gcc -pthread -fno-strict-aliasing -g -O2 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -fPIC -I/usr/local/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
    build/temp.linux-x86_64-2.7/_openssl.c:1976: 警告:函数声明不是一个原型
    gcc: 内部错误:已杀死 (程序 cc1)
    请提交一份完整的错误报告。
    具体步骤请参见 <http://bugzilla.redhat.com/bugzilla>。
    error: command 'gcc' failed with exit status 1

先检查

dmesg | tail

[26925]   500 26925    26581      114   0       0             0 certbot-auto
[26949]   500 26949    26580      121   0       0             0 certbot-auto
[27015]   500 27015    26580      116   0       0             0 certbot-auto
[27016]   500 27016    60474     8155   0       0             0 pip
[27096]   500 27096    54072     5455   0       0             0 python2.7
[27099]   500 27099    25457       39   0       0             0 gcc
[27100]   500 27100    81347    51043   0       0             0 cc1
[27101]     0 27101     4015      451   0       0             0 sampler.py
Out of memory: Kill process 27100 (cc1) score 200 or sacrifice child
Killed process 27100, UID 500, (cc1) total-vm:325388kB, anon-rss:204112kB, file-rss:60kB

查看输出是否包含Out of memory字样,如果是的话,属于机器内存不够,可以f用swap交换分区「扩展」内存容量

正常情况下,Certbot 会自动下载安装一些必要软件,同意即可。

如果此时卡住了Installing Python packages,设置 pip 为国内源即可。

vim ~/.pip/pip.conf

[global]
index-url = http://mirrors.aliyun.com/pypi/simple/

[install]
trusted-host=mirrors.aliyun.com

下载完毕之后,就可以进行证书签发了。

./certbot-auto certonly --webroot -w /path/to/website/webroot -d example.com

这里会显示一些交互,都是傻瓜性质的。

如果签发失败,有可能是你的网站不能访问,需要你修复后继续。

签发完成之后:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-02-27. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

nginx 配置

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

定期续签

先进行续签测试

./certbot-auto renew --dry-run

测试成功:

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

在特定目录,先写续签脚本,保存为renew-cert.sh

#!/bin/bash


# 续签
/usr/local/bin/certbot-auto renew --quiet

# 重启 nginx
/usr/sbin/nginx -s reload

每月 1 日凌晨 3 点执行续签:

crontab -e
00 03 1 * *  ./特定目的/renew-cert.sh
service crond restart

参考链接