1. 需要安装python, 2.7以上版本
2. 下载 letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
3. 使用方法:
./letsencrypt-auto certonly --standalone --email admin@***.com -d ***.com -d www.***.com
如果提示1:
Problem binding to port 80: Could not bind to IPv4 or IPv6.
需要把nginx停一下。
如果提示2:
Certbot has problem setting up the virtual environment.
We were not be able to guess the right solution from your pip
mv ~/.pip/pip.conf ~/.pip/pip.conf.backup
# 提示以下内容说明已生成完成:
- Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/域名地址/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/域名地址/privkey.pem Your cert will expire on 2018-07-16. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
需要更新,使用
./letsencrypt-auto renew
4. nginx配置
在nginx的server里加上以下内容
ssl on; ssl_certificate /etc/letsencrypt/live/域名地址/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/域名地址/privkey.pem; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
5. 重启nginx,完成配置
也可以通过dns txt 记录验证的方式创建证书,使用命令:
./certbot-auto --manual --preferred-challenges dns certonly
如果需要进行泛域名的话就用 *.aaa.com
或直接执行:
./certbot-auto certonly -d *.aaa.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory