WishMeLz

生活其实很有趣

部署Let's Encrypt免费SSL证书教程 

yum install -y epel-release
yum install -y certbot

生成证书

certbot certonly --webroot -w [Web站点目录] -d [站点域名] -m [联系人email地址] --agree-tos

如

certbot certonly --webroot -w /app/itsse -d itsse.cn -m main@itsse.cn --agree-tos

申请成功后,证书会保存在 /etc/letsencrypt/live/itsse.cn/ 

查看有效期
openssl x509 -noout -dates -in /etc/letsencrypt/live/itsse.cn/cert.pem

自动更新



//更新证书
certbot renew --dry-run
 
//如果不需要返回的信息,可以用静默方式
certbot renew --quiet

crontab -e

00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

 crontab -l 命令可以查看 crontab 服务是否创建成功

生成 Perfect Forward SecurityPFS

mkdir /etc/ssl/private/ -p
cd /etc/ssl/private/
openssl dhparam 2048 -out dhparam.pem

配置Nginx

server {
    listen       80;
    server_name  itsse.cn;
    rewrite ^ https://$server_name$request_uri? permanent;
}

    	server {
  	   listen 443 ssl;
  	   server_name itsse.cn;
  	   index index.html index.htm index.php;
  	   root  /app/itsse;
	   ssl_certificate /etc/letsencrypt/live/itsse.cn/fullchain.pem;
	   ssl_certificate_key /etc/letsencrypt/live/itsse.cn/privkey.pem;
	   ssl_dhparam /etc/ssl/private/dhparam.pem;
	   ssl_session_timeout 5m;
	   ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
	   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	   ssl_prefer_server_ciphers on;
	   ssl_session_cache shared:SSL:10m;
      	
    }

最后编辑时间为: January 3rd , 2023 at 01:34 pm
本文由 Wish 创作,保留所有权利

标签 : 无标签