Let’s Encrypt SSL 证书安装(CentOS+Nginx) 以及评分和自动更新

昨天试了godaddy的SSL证书,发现并不是那么好用,研究了下Let’s Encrypt。现在很多个人网站都转到Let’s Encrypt,而且他家来历不小,各个大公司都对它进行了赞助。Let’s Encrypt主要的存在意义是普及SSL证书,让全网加速进入https时代,虽然是开源项目,但是免费提供3个月的SSL,还是很受欢迎的。(3个月无所谓啦, 写个程序自动续费即可)

安装部署方法网上很多,自己研究了下,最简单的方法如下:

假设centos 6 已经安装nginx服务,其他版本的指令不明白可以留言。

安装git和epel

yum install git

yum install epel

然后切换目录clone以下git

cd /opt
git clone https://github.com/letsencrypt/letsencrypt

然后停止nginx服务,切换目录,然后安装。

service nginx stop
cd /opt/letsencrypt
./letsencrypt-auto certonly --standalone -d your_domain.tld -d www.yourdomain.tld

之后根据指示输入邮箱等信息,等待验证域名,不过他的验证域名有些问题,多试几次吧。

—————————安装已经完成,以下都都是配置————————

nginx配置我写下重点,不懂的问。

listen 443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/your_domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.tld/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

搞定之后去ssllab做下测试和评分,https://www.ssllabs.com/ssltest/analyze.html

评测完成之后,发现weak DH key exchange的问题,解决方法如下:

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
openssl dhparam -out dhparams.pem 4096

然后# vi /etc/nginx/nginx.conf 加入:

ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_timeout 30m;
ssl_session_cache shared:SSL:10m;
ssl_buffer_size 8k;
add_header Strict-Transport-Security max-age=31536000;

更新证书,因为证书有效期90天,所以需要手动更新,代码如下。

./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d yourdomain.tld -d www.yourdomain.tld
systemctl reload nginx

git上有人下了自动更新的bash,可以拿来做cron。(注意修改下你的目录等信息)

简历文件# vi /usr/local/bin/cert-renew,然后复制以下内容

#!/bin/bash
webpath=’ /usr/share/nginx/html/’
domain=$1
le_path='/opt/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;
get_domain_list(){
certdomain=$1
config_file="$le_conf/renewal/$certdomain.conf"
if [ ! -f $config_file ] ; then
echo "[ERROR] The config file for the certificate $certdomain was not found."
exit 1;
fi
domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")
last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')
if [ "${last_char}" = "," ]; then
domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')
fi
echo $domains;
}
if [ -z "$domain" ] ; then
echo "[ERROR] you must provide the domain name for the certificate renewal."
exit 1;
fi
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [ ! -f $cert_file ]; then
echo "[ERROR] certificate file not found for domain $domain."
exit 1;
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
echo "The certificate is up to date, no need for renewal ($days_exp days left)."
exit 0;
else
echo "The certificate for $domain is about to expire soon. Starting renewal request..."
domain_list=$( get_domain_list $domain )
"$le_path"/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=”$webpath” --domains "${domain_list}"
echo "Reloading Nginx..."
sudo systemctl reload nginx
echo "Renewal process finished for domain $domain"
exit 0;
fi

 

然后安装gc测试是否能运行:

chmod +x /usr/local/bin/cert-renew
yum install bc
/usr/local/bin/cert-renew yourdomain.tld

加入到cron自动运行

crontab -e
@weekly  /usr/local/bin/cert-renew your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1

喜欢的话订阅一个呗~第一时间收到文章更新哟~

发表评论

电子邮件地址不会被公开。