ssl.mail.163.com（Let s Encrypt SSL证书使用手册）

letsencrypt原理说明 申请过程中要验证绑定的域名是否属于申请人，其原理就是申请人在域名所在的服务器上申请证书，然后 Let’ s Encrypt 会访问绑定的域名与客户端通信成功即可通过。需要停止当前的 web server 服务, 让出 80 端口, 由客户端内置的 web server 启动与 Let’ s Encrypt 通信。不需要停止当前 web server , 但需要在域名根目录下创建一个临时目录, 并要保证外网通过域名可以访问这个目录，在申请证书的时候会向这个目录写数据，验证域名的权限。证书安装 本文使用第二钟方式申请证书，整个安装过程需要root权限进行操作。1、安装python依赖（如果是源码安装，需要安装setuptools和pip）[root@centos7 ~]# yum install epel-release git bc python27 python27-devel python27-pip python27-setuptools python27-virtualenv2、创建临时目录和网站根目录[root@centos7 ~]# mkdir /tmp_ssl[root@centos7 ~]# mkdir /data/[root@centos7 ~]# cat /data/index.html <h1> Test Page </h1>3、配置nginx[root@centos7 conf.d]# cat www.conf server{listen 80;server_name ssl.niub.la;root /data;index index.html;location /.well-known { #重要，此处是配置我们的临时目录，用于验证域名。default_type text/plain;alias /tmp_ssl/.well-known;} }3、下载Let’ s Encrypt[root@centos7 ~]# git clone https://github.com/letsencrypt/letsencrypt [root@centos7 ~]# mv letsencrypt/ /usr/local/4、申请证书[root@centos7 ~]# /usr/local/letsencrypt/letsencrypt-auto certonly --no-self-upgrade --webroot -w /tmp_ssl --email mail0426@163.com -d ssl.niub.laSaving debug log to /var/log/letsencrypt/letsencrypt.log-------------------------------------------------------------------------------Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agreein order to register with the ACME server athttps://acme-v01.api.letsencrypt.org/directory-------------------------------------------------------------------------------(A)gree/(C)ancel: A-------------------------------------------------------------------------------Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Let's Encrypt project and the non-profitorganization that develops Certbot? We'd like to send you email about EFF andour work to encrypt the web, protect its users and defend digital rights.-------------------------------------------------------------------------------(Y)es/(N)o: YObtaining a new certificatePerforming the following challenges:http-01 challenge for ssl.niub.laUsing the webroot path /tmp_ssl for all unmatched domains.Waiting for verification...Cleaning up challengesIMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ssl.niub.la/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/ssl.niub.la/privkey.pem Your cert will expire on 2017-11-17. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew"- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le5、查看申请的证书[root@centos7 ~]# ls /etc/letsencrypt/live/ssl.niub.la/cert.pem chain.pem fullchain.pem privkey.pem README6、配置nginx支持ssl协议并安装证书[root@centos7 ~]# cat /data/index.html <h1> Test Page </h1>[root@centos7 ~]# cat /etc/nginx/conf.d/www.conf server{ listen 443 ssl; server_name ssl.niub.la; root /data; index index.html; ssl_certificate /etc/letsencrypt/live/ssl.niub.la/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ssl.niub.la/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH; location /.well-known { default_type text/plain; alias /tmp_ssl/.well-known; } }[root@centos7 ~]# systemctl restart nginx7、测试访问

增加证书 因为我们现在已经有一个ssl证书正在使用证书了监听了443端口，所以此处还是应该，使用第二种方式--webroot的来申请证书，配置我们的临时目录。1、配置网站根目录[root@centos7 ~]# cat /data/openssl.html<h1> OpenSSL </h1>2、配置nginx[root@centos7 conf.d]# cat www.conf server{listen 80;server_name openssl.niub.la;root /data;index openssl.html;location /.well-known { #重要，此处是配置我们的临时目录，用于验证域名。default_type text/plain;alias /tmp_ssl/.well-known;} }3、执行新增证书（下面的命令的意思是在原有的ssl.niub.la申请的证书里面新增一个域名，两个域名使用同一个证书）[root@centos7 ~]# /usr/local/letsencrypt/letsencrypt-auto certonly --no-self-upgrade --webroot -w /tmp_ssl --email mail0426@163.com -d ssl.niub.la -d openssl.niub.laSaving debug log to /var/log/letsencrypt/letsencrypt.log-------------------------------------------------------------------------------You have an existing certificate that contains a portion of the domains yourequested (ref: /etc/letsencrypt/renewal/ssl.niub.la.conf)It contains these names: ssl.niub.laYou requested these names for the new certificate: ssl.niub.la, openssl.niub.la.Do you want to expand and replace this existing certificate with the newcertificate?-------------------------------------------------------------------------------(E)xpand/(C)ancel: ERenewing an existing certificatePerforming the following challenges:http-01 challenge for ssl.niub.lahttp-01 challenge for openssl.niub.laUsing the webroot path /tmp_ssl for all unmatched domains.Waiting for verification...Cleaning up challengesIMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ssl.niub.la/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/ssl.niub.la/privkey.pem Your cert will expire on 2017-11-17. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew"- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le4、配置ssl[root@centos7 ~]# cat /etc/nginx/conf.d/openssl_ssl.conf server{ listen 443 ssl; server_name openssl.niub.la; root /data; index openssl.html; ssl_certificate /etc/letsencrypt/live/ssl.niub.la/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ssl.niub.la/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH; location /.well-known { default_type text/plain; alias /tmp_ssl/.well-known; } }[root@centos7 ~]# systemctl restart nginx5、测试访问

更新证书1、更新本地所有证书泛解析[root@hdw001 cce]# /usr/local/letsencrypt/letsencrypt-auto certonly --no-self-upgrade --email mail0426@163.com --preferred-challenges dns --manual -d *.huandianw.com -d huandianw.com --server https://acme-v02.api.letsencrypt.org/directory子域名解析[root@centos7 ~]# /usr/local/letsencrypt/letsencrypt-auto --no-self-upgrade renew或者[root@centos7 ~]# /usr/local/letsencrypt/letsencrypt-auto --no-self-upgrade --webroot -w /tmp renew2、加载到任务计划[root@centos7 ~]# echo '0 4 1 * * /usr/local/letsencrypt/letsencrypt-auto --no-self-upgrade renew >>/dev/null 2>&1' >/var/spool/cron/root[root@centos7 ~]# crontab -l0 4 1 * * /usr/local/letsencrypt/letsencrypt-auto renew >>/dev/null 2>&1注意事项--webroot 参数:指定使用临时目录的方式. -w 参数:指定后面-d 域名所在的根目录, 如果一次申请多个域的, 可以附加更多 -w...-d...-w 必须为你要认证站点的根目录，letsencrypt验证时会在该目录县写入.well-known目录文件，并通过你的申请站点进行访问验证。-w的配置，会忽略nginx中的root或alias配置，路径以-w来验证。