使用 Certbot 部署 Let's Encrypt 免费 SSL 证书实现 HTTPS
免费 SSL 证书
Let's Encrypt is a free, automated, and open Certificate Authority.
步骤
准备
- 一台服务器
- 一个域名
- 一个可访问的网站
下载 Certbot
Let’s Encrypt 是属于介绍性质的,而真正使用到的工具是 Certbot,使用前需要去官网下载。
这里以nginx和centos 6,域名以example.com为例。
cd /use/local/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
执行 Certbot
./certbot-auto
这里需要 Python 2.7 以上版本,详细参考Centos 6.4 python 2.6 升级到 2.7。
如果安装出现:
reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
no previously-included directories found matching 'docs/_build'
warning: no previously-included files matching '*' found under directory 'vectors'
writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
running build_ext
generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
creating build/temp.linux-x86_64-2.7
generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
building '_openssl' extension
creating build/temp.linux-x86_64-2.7/build
creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
gcc -pthread -fno-strict-aliasing -g -O2 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -fPIC -I/usr/local/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
build/temp.linux-x86_64-2.7/_openssl.c:1976: 警告:函数声明不是一个原型
gcc: 内部错误:已杀死 (程序 cc1)
请提交一份完整的错误报告。
具体步骤请参见 <http://bugzilla.redhat.com/bugzilla>。
error: command 'gcc' failed with exit status 1
先检查
dmesg | tail
[26925] 500 26925 26581 114 0 0 0 certbot-auto
[26949] 500 26949 26580 121 0 0 0 certbot-auto
[27015] 500 27015 26580 116 0 0 0 certbot-auto
[27016] 500 27016 60474 8155 0 0 0 pip
[27096] 500 27096 54072 5455 0 0 0 python2.7
[27099] 500 27099 25457 39 0 0 0 gcc
[27100] 500 27100 81347 51043 0 0 0 cc1
[27101] 0 27101 4015 451 0 0 0 sampler.py
Out of memory: Kill process 27100 (cc1) score 200 or sacrifice child
Killed process 27100, UID 500, (cc1) total-vm:325388kB, anon-rss:204112kB, file-rss:60kB
查看输出是否包含Out of memory字样,如果是的话,属于机器内存不够,可以用swap交换分区「扩展」内存容量。
正常情况下,Certbot 会自动下载安装一些必要软件,同意即可。
如果此时卡住了Installing Python packages,设置 pip 为国内源即可。
vim ~/.pip/pip.conf
[global]
index-url = http://mirrors.aliyun.com/pypi/simple/
[install]
trusted-host=mirrors.aliyun.com
下载完毕之后,就可以进行证书签发了。
./certbot-auto certonly --webroot -w /path/to/website/webroot -d example.com
这里会显示一些交互,都是傻瓜性质的。
如果签发失败,有可能是你的网站不能访问,需要你修复后继续。
签发完成之后:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2017-02-27. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
nginx 配置
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
定期续签
先进行续签测试
./certbot-auto renew --dry-run
测试成功:
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
在特定目录,先写续签脚本,保存为renew-cert.sh
#!/bin/bash
# 续签
/usr/local/bin/certbot-auto renew --quiet
# 重启 nginx
/usr/sbin/nginx -s reload
每月 1 日凌晨 3 点执行续签:
crontab -e
00 03 1 * * ./特定目的/renew-cert.sh
service crond restart
参考链接
</>