安装

访问 Certbot 官方,选择Web Server和操作系统显示操作流程

1
2
3
4
## 获取 Certbot 客户端
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ ./certbot-auto --help

生成证书

1
$ ./certbot-auto certonly --webroot -w  /usr/local/nginx/key/xxx.com -d  xxx.com

期间可能需要输入你的Email进行确认

最后成功结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxx.com
Using the webroot path /usr/local/nginx/key/xxx.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxx.com/privkey.pem
   Your cert will expire on 2018-04-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


``` 

``` code
Your cert will expire on 2018-04-09.

证书放在

1
/etc/letsencrypt/live/xxx.com/

修改Nginx 使用SSL证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
server {
    listen   80;
    server_name  xxx.com;
    root /usr/local/nginx/www; 
    location / {
        #alias /usr/local/nginx/www/;
        index index.html index.htm;
        proxy_next_upstream off;
        proxy_redirect off;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 600;
        proxy_read_timeout 600;
        proxy_send_timeout 600;
    }
   
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root  /usr/local/nginx/key/xxx.com/;
    }
    
    location = /.well-known/acme-challenge/ {
        return 404;
    }

    location /nginx-status {
            stub_status on;
            access_log  off;
    }
}

server {
    listen 443 ssl;
    server_name www.xxx.com xxx.com;

    ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/chain.pem;
}
1
2
3
4
5
6
# 备份
sudo cp /etc/letsencrypt/ /etc/letsencrypt.backup -r
# 删除
rm -rf /etc/letsencrypt/live/${DOMAIN}
rm -rf /etc/letsencrypt/renewal/${DOMAIN}.conf
rm -rf /etc/letsencrypt/archive/${DOMAIN}

参考