Let’s Encrypt是一个免费、自动化、开放的证书颁发机构,该项目得到了Mozilla基金会,Akamai以及思科等很多大型机构的支持。Let’s Encrypt发布的免费SSL证书能被许多浏览器信任,虽然申请的SSL/TLS证书只有3个月有效期,但是可以通过官方提供的工具自动续期,从而达到永久免费使用的目的。
官网目前推荐的获取和安装方式是certbot,只需要简单运行一些命令并作一些配置即可。
1,安装Certbot
Certbot官网根据不同的操作系统,提供的详尽的安装方法,由于博主安装的是CentOS 6,这里直接把安装方法从官网Copy过来。
$ sudo yum install epel-release $ wget https://dl.eff.org/certbot-auto $ chmod a+x certbot-auto $ ./certbot-auto #然后会自动安装所需的依赖包
开始使用Certbot
如果你用的是Apache:(以下英文来自certbot官网)
Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:
翻译: Certbot有一个相当坚实的测试质量的Apache插件, 它支持在很多平台上, 并自动两种获取和安装证书:
$ ./path/to/certbot-auto --apache
If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand:
翻译: 如果你感觉更加保守, 想使手工更改您的Apache的配置, 你可以使用certonly子命令:
$ ./path/to/certbot-auto --apache certonly
自动renew证书
Let’s Encrypt certificates last for 90 days, so it’s highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:
./path/to/certbot-auto renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:
翻译: 如果如上命令看起来工作正常, 那么你就可以把如下的自动续期命令写到系统的定时计划任务里:
./path/to/certbot-auto renew --quiet
2,为你自己的域名申请SSL证书
1,单域名生成证书:
./certbot-auto certonly --email i@zhukun.net --agree-tos --webroot \ -w /home/wwwroot/zhukun.net -d zhukun.net
2,多域名单目录生成单证书:(即一个网站多个域名使用同一个证书)
./certbot-auto certonly --email i@zhukun.net --agree-tos --webroot \ -w /home/wwwroot/zhukun.net -d www.zhukun.net -d img.zhukun.net
3,多域名多目录生成多个证书:(即一次生成多个域名的多个证书)
./certbot-auto certonly --email i@zhukun.net --agree-tos --webroot \ -w /home/wwwroot/b.com -d www1.b.com -d www2.b.com \ -w /home/wwwroot/a.com -d www1.a.com -d www2.a.com
出现下面的提示就代表安装成功了,证书文件就在 /etc/letsencrypt/live/zhukun.net 目录下。
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/zhukun.net/fullchain.pem. Your cert will expire on 2016-10-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le