给网站安装免费letsencrypt HTTPS 证书,配置nginx的https
letsencrypt 提供免费证书,有效期为90天。
过期后可以重新生成,相当于可以一直免费
letsencrypt网站
下面通过certbot 生成证书
1.下载certbot,并解压
wget https://codeload.github.com/certbot/certbot/zip/master
2.生成证书
./certbot-auto certonly --standalone --agree-tos -d example.com -d www.example.com
错误:
Problem binding to port 80: Could not bind to IPv4 or IPv6.
关闭服务器(nginx)之后再执行,即可解决
3.更新已过期证书
certbot renew --dry-run
./certbot-auto renew
注:(更新时问题)
Upgrading certbot-auto 0.40.1 to 1.2.0...
Couldn't download https://raw.githubusercontent.com/certbot/certbot/v1.2.0/letsencrypt-auto-source/letsencrypt-auto. <urlopen error [Errno 111] Connection refused>
可将其锁定到特定版本并且不接收自动更新,只需在命令后加 --no-self-upgrade 即可。即
./certbot-auto renew --no-self-upgrade
4.修改nginx配置
server {
......
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/xxxxxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxxxxx.com/privkey.pem;
......
}
server {
listen 80;
server_name xxxxxx.com;
return 301 https://$host$request_uri;
}
