1.如果python版本是2.6请运行
yum install python-argparse.noarch
2.重点 下载脚本
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh
chmod +x letsencrypt.sh
vi letsencrypt.conf
3.配置
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="example.com.key"
DOMAIN_DIR="/var/www/example.com"
DOMAINS="DNS:example.com,DNS:whatever.example.com"
#ECC=TRUE
#LIGHTTPD=TRUE
执行过程中会自动生成需要的 key 文件。其中 ACCOUNT_KEY
为账户密钥, DOMAIN_KEY
为域名私钥, DOMAIN_DIR
为域名指向的目录,DOMAINS
为要签的域名列表, 需要 ECC
证书时取消 #ECC=TRUE
的注释,需要为 lighttpd
生成 pem
文件时,取消#LIGHTTPD=TRUE
的注释。
./letsencrypt.sh letsencrypt.conf
PS:如果你把域名 DNS 解析放在国内,这一步很可能会遇到类似这样的错误 可以使用goddy的dns服务
ValueError: Wrote file to /home/xxx/www/challenges/oJbvpIhkwkBGBAQUklWJXyC8VbWAdQqlgpwUJkgC1Vg, but couldn't download http://www.yoursite.com/.well-known/acme-challenge/oJbvpIhkwkBGBAQUklWJXyC8VbWAdQqlgpwUJkgC1Vg
在 nginx 里添加 ssl 相关的配置
listen 80;
listen 443 ssl http2;
server_name www.example.com example.com;
index index.html;
root /home/www;
if ($server_port = 80) {
return 301 https://$server_name$request_uri;
}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_certificate /ssl/example.chained.crt;
ssl_certificate_key /ssl/example.com.key;
location / {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
try_files $uri $uri/ /index.php?$args;
}
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
access_log off;
set $local yes;
valid_referers none *.example.com mp.weixin.qq.com;
if ($invalid_referer) {
set $local no;
}
if ($local = no) {
return 404;
}
}
location ~ .*\.(js|css)?$ {
expires 12h;
access_log off;
}
#方便生成证书
location ~ /.well-known {
allow all;
}
error_page 404 = /404.html;
access_log /home/wwwlogs/www.example.com_access.log access;
说明:nginx从1.9.5版本开始支持http2,其次编译安装的时候有附带http_v2_module,最后如果通过chrome浏览器的chrome://net-internals/#http2标签页没发现你的网站在列表中有一种可能是nginx编译使用的ssl版本太低,openssl版本必须高于1.0.1
http2支持更多细节:
https://zhangge.net/5114.html
http://www.jackieathome.net/archives/437.html
验证HTTP2是否生效
1验证curl是否支持http2协议
curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
2如果不支持http2升级curl
vim /etc/yum.repos.d/city-fan.repo
内容
[CityFan]
name=City Fan Repo
baseurl=http://nervion.us.es/city-fan/yum-repo/rhel$releasever/$basearch/
enabled=1
gpgcheck=0
yum clean all
yum -y install libcurl
3验证
curl --http2 https://so.taoerqu.com -i
定时任务更新证书
每个月自动更新一次证书,可以在脚本最后加入 service nginx reload
等重新加载服务。
0 0 1 * * /etc/nginx/certs/letsencrypt.sh /etc/nginx/certs/letsencrypt.conf >> /var/log/lets-encrypt.log 2>&1
https://github.com/xdtianyu/scripts/tree/master/lets-encrypt
http://www.chinaz.com/web/2015/1221/486106_2.shtml
https://imququ.com/post/letsencrypt-certificate.html
https://community.centminmod.com/threads/letsencrypt-ssl-certificates-and-windows-xp-workarounds.5272/page-2