当前位置：网站首页>Let‘s Encrypt

Let‘s Encrypt

2022-07-24 22:33:00 【Leisurely summer】

1、Let's Encrypt brief introduction

Let's Encrypt —— It's a non-profit Internet Security Research Group （ISRG） Free of charge 、 Automated and open certification authorities （CA）, To put it simply , Is to provide free for the website SSL/TLS certificate . Internet Security Research Group （ISRG）：ISRG It is a public welfare company in California , Founded on 2013 year 5 month , The first project is Let's Encrypt Certification authority .

Let’s Encrypt Use ACME Protocol to verify your control over a given domain name and issue you a certificate . To get Let’s Encrypt certificate , You need to select a ACME Client software .Let’s Encrypt Do not control or audit third party clients , It can't guarantee its safety or reliability . Official recommendation Certbot Client to issue certificate , Official website ：https://certbot.eff.org/

ACME agreement ：

Automatic Certificate Management Environment=ACME, Automatic authentication management environment protocol
ACME The basic idea of the agreement is ：
- Generate one-time random characteristic data on your server (nonce)
- And then through Let’s Encrypt Your server checks this data
- Check that the certificate is successfully issued

Use the premise ：

domain name , It will generate the certificate of the specified domain name
You can access on the server pointed to by the domain name https
Linux Environmental Science

2、 Environmental preparation

Certbot Two ways of working ：

Standalone The way ：

certbot I will run one by myself web server To verify that . If we already have web server Running （ such as Nginx or Apache ）, use standalone You need to turn it off first , To avoid conflict .

Web root The way ：

certbot Will make use of existing web server, In its web root Create hidden files under the directory ,Let’s Encrypt The server will access these hidden files through the domain name , To confirm that you do have control of the corresponding domain name .

install Nginx,Nginx Located in a third party yum Yuannei , Instead of Centos official yum Yuannei

# install RHEL
sudo yum install epel-release
#yum to update 
yum update
yum install -y nginx

install wget

yum -y install wget

download Certbot client

# download 
wget https://dl.eff.org/certbot-auto
# Add execute permission 
chmod a+x ./certbot-auto

edit nginx Configuration file for

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    #1. Configure legal domain name 
    server_name yuanjing.com;
    #2. Configure the application root directory 
    root /usr/share/nginx/html;
}

3、 Generate and configure certificates

Use certbot-auto command , Generate Certificate

# The domain name must be true and valid 
./certbot-auto certonly --webroot --email [email protected] -w /usr/share/nginx/html/ -d [ Fill in the address of the legal domain name ]

The generated certificate is placed in /etc/letsencrypt/live/[ Website domain name ] Next

for example ：/etc/letsencrypt/live/yuanjing.com

file name	Content
cert.pem	Server certificate
chain.pem	All certificates required by the browser, but not the server certificate , Such as root certificate and intermediate certificate
fullchain.pem	It includes cert.pem and chain.pem The content of
privkey.pem	The private key of the certificate

In general fullchain.pem and privkey.pem That's enough.

[[email protected] ~]$ tree /etc/letsencrypt/
......
├── live
│ └── yuanjing.com ( Alias , Final , Look at your domain name )
│ ├── cert.pem -> ../../archive/yuanjing.com/cert1.pem
│ ├── chain.pem -> ../../archive/yuanjing.com/chain1.pem
│ ├── fullchain.pem ->
../../archive/yuanjing.com/fullchain1.pem
│ ├── privkey.pem ->
../../archive/yuanjing.com/privkey1.pem
│ └── README
......

To configure nginx Support https visit

server {
    listen 443 ssl http2;
    server_name yuanjing.com; #  Set domain name 
    ssl_certificate  "/etc/letsencrypt/live/yuanjing.com/fullchain.pem"; #  certificate 
    ssl_certificate_key  "/etc/letsencrypt/live/yuanjing.com/privkey.pem"; #  Private key

http Jump to https

Visit on the website http Will be http Request to redirect to https, Just in nginx Under the configuration of . The configuration is as follows

server {
    listen 80 default_server;
    server_name yuanjing.com www.yuanjing.com;
    return 301 https://$server_name$request_uri; #  This is fixed 
}

restart Nginx Effective after

nginx -s reload

4、 Renew Certificate

The default certificate validity period is 3 Months , So it needs to be renewed .

Set monthly 1 Early in the morning 3 Click to renew all domain names

# Create a scheduled task 
sudo crontab -e
# Set the timing policy 
#/home/ubuntu/soft/certbot-auto：certbot directory 
0 3 1 * * /home/ubuntu/soft/certbot-auto renew --renew-hook "sudo nginx -s reload"
# Check whether the timing command just added exists 
sudo crontab -l

原网站

版权声明
本文为[Leisurely summer]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/205/202207242157435215.html