从官方源安装最新版certbot(最新版为0.22.0,从0.22.0版本才开始支持泛域名申请,不推荐从Debian的源安装,常年不更新,还停留在0.10)html
//dl.eff.org/certbot-autowget https:
autochmod a+x ./certbot-
初始化nginx
auto./certbot-
由于目前大多数国内的DNS服务商不在API支持的列表里,因此如下使用手动方式进行DNS认证,将只要下方命令中的*.minirplus.com
替换为本身的域名便可git
autopublic-01//acme-v02.api.letsencrypt.org/directory./certbot-certonly --manual -d *.minirplus.com --agree-tos --no-bootstrap --manual--ip-logging-ok --preferred-challenges dns--server https:
!域名注意的 minirplus.com
解析记录必须以A
记录
方式指向当前运行命令的服务器IP,而不能使用CNAME记录不然会报错,报错信息以下:github
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: minirplus.com
Type: connection
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.minirplus.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
运行该命令后,会要求输入邮箱
,用于接收证书过时通知web
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
接着会出现一段广告,大意是收集客户邮箱给赞助商,Y
或N
都可算法
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:
接着重要的部分来了,在DNS中记录一个添加_acme-challenge
前缀的域名TXT
记录
,记录的内容为中间显示的随机码xVloe7V1kMEd2ZlOLlUxv-HltYfTDaMhrrwKjFU47DU
apache
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.minirplus.com with the following value:
xVloe7V1kMEd2ZlOLlUxv-HltYfTDaMhrrwKjFU47DU
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
确保接着当前域名的根记录 minirplus.com
为A
记录
而且指向当前服务器IP(这条本来不成问题,由于国外的服务商的DNS根域名只能添加甲记录,可是国内的DNSPOD则更加灵活,能够添加CNAME记录,因此会在认证的时候出现问题)bootstrap
按回车,进行认证ubuntu
等待片刻,出现以下信息,说明认证成功api
申请操做成功后,会在界面中输出证书的存放路径,以及证书的到期时间(90天)
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/minirplus.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/minirplus.com/privkey.pem
Your cert will expire on 2018-06-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(这里以example.com为例)
生成证书中会建立/etc/letsencrypt
文件夹,证书文件默认存放在/etc/letsencrypt/live/example.com
文件夹中,其中example.com
取自第一个域名
在example.com
文件夹中包含4个文件./cert.pem ./chain.pem ./fullchain.pem ./privkey.pem
建立一个2048位的Diffie-Hellman文件
(nginx默认使用1024位的Diffie-Hellman进行密钥交换,安全性过低)
out2048openssl dhparam -/etc/letsencrypt/live/dhparams.pem
(这里以example.com为例)
首先对http协议进行301重定向到https协议
server {
listen 80;
server_name example.com www.example.com;
return$request_uri 301 https://example.com;
}
(这里以example.com为例)
server {
listen 443 ssl;
server_name example.com www.example.com;
# 配置站点证书文件地址
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# 配置证书私钥
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# 配置 Diffie-Hellman 交换算法文件地址
ssl_dhparam /etc/letsencrypt/live/dhparams.pem;
# 配置服务器可以使用的加密算法
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' ssl_ciphers;
# 指定服务器密码算法在优先于客户端密码算法时,使用 SSLv3 和 TLS 协议
ssl_prefer_server_ciphers on;
# ssl 版本 可用 SSLv2,SSLv3,TLSv1,TLSv1.1,TLSv1.2
# ie6 只支持 SSLv2,SSLv3 可是存在安全问题, 故不支持
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# 配置 TLS 握手后生成的 session 缓存空间大小 1m 大约能存储 4000 个 session
ssl_session_cache shared:SSL:50m;
# session 超时时间
ssl_session_timeout 1d;
# 负载均衡时使用 此处暂时关闭 详情见 https://imququ.com/post/optimize-tls-handshake.html
# 1.5.9 及以上支持
ssl_session_tickets off;
# 浏览器可能会在创建 TLS 链接时在线验证证书有效性,从而阻塞 TLS 握手,拖慢总体速度。OCSP stapling 是一种优化措施,服务端经过它能够在证书链中封装证书颁发机构的 OCSP(Online Certificate Status Protocol)响应,从而让浏览器跳过在线查询。服务端获取 OCSP 一方面更快(由于服务端通常有更好的网络环境),另外一方面能够更好地缓存 以上内容来自 https://imququ.com/post/my-nginx-conf-for-wpo.html
# 1.3.7 及以上支持
ssl_stapling on;
ssl_stapling_verify on;
# 根证书 + 中间证书
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# HSTS 能够告诉浏览器,在指定的 max-age 内,始终经过 HTTPS 访问该域名。即便用户本身输入 HTTP 的地址,或者点击了 HTTP 连接,浏览器也会在本地替换为 HTTPS 再发送请求 相关配置见 https://imququ.com/post/sth-about-switch-to-https.html
add_header Strict-Transport-Security max-age=60;
# 在此填写本来 http 协议中的配置
}
以上配置完成后,重启nginx便可完成对https的切换
(如遇权限问题请使用sudo)
service nginx restart
或者
sudo systemctl reload nginx
certbot生成的证书是有90天期限的。
使用如下命令便可进行续期,续期成功后须要服务器
auto./certbot-renew
该命令只会对快到期的证书才会进行更新,若是但愿强制更新,能够增长--force-renewal
参数
进入的/ etc / apache2的/网站可用,修改泛域名配置文件(这里以000-default.conf为例),添加SSL配置,将下面配置中的SSL证书地址,替换为以前成功获取的证书地址(如直接使用如下配置,请修改的DocumentRoot和目录目录为泛域名指向的目录)
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/vps
ServerSignature Off
<Directory /var/www/vps >
Options -Indexes
</Directory>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/vps
ServerSignature Off
<Directory /var/www/vps >
Options -Indexes
</Directory>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/minirplus.com/fullchain.pem;
SSLCertificateKeyFile /etc/letsencrypt/live/minirplus.com/privkey.pem
</VirtualHost>
</IfModule>
当用户访问任意域名,例如https://xVloe7V1kMEd2ZlOLlUxv.minirplus.com
都会看到绿色的HTTPS链接标志。
有了泛域名证书以后有几个好处