Let’ s Encrypt 生成 ssl 证书及配置

  1. 环境:centos6.,7.、nginx;
  2. 安装 certblt 工具; 
    yum install -y epel-release
yum install -y certbot
  3. 使用 certbot 命令申请证书; certbot certonly --webroot -w [Web 站点目录] -d [站点域名] -m [联系人 email 地址] 如下: 
    certbot certonly --webroot -w /home/public_html -d blog.brotherjh.com -m ftfoolish@163.com

    注意:-w后面的目录有权限访问。 证书成功生成之后会出现以下信息:

    
IMPORTANT NOTES:
  • Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/[xxx.xxx.xxx]/fullchain.pem. Your cert will expire on 2018-02-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

    证书保存在:
```shell
/etc/letsencrypt/live/blog.brotherjh.com/

    有效期为3个月。

  1. 可能遇到问题:
  • 443端口是否打开
  • 防火墙是否开启443端口,否则报502错误(/etc/sysconfig/iptables)
  1. 自动更新证书(centos7) 
    [root@123]# crontab -e
//每月1号晚上2点更新并重启nginx
0 2 1 * * /usr/bin/certbot renew --quiet && /sbin/service nginx reload
//重启定时任务
[root@123]# /bin/systemctl restart crond.service

小提示

如有侵权请邮件通知