下载 acme-tiny

创建用户私钥和域名私钥 "创建用户私钥和域名私钥")创建用户私钥和域名私钥

mkdir -p /etc/ssl/letsencrypt/

cd /etc/ssl/letsencrypt/

openssl genrsa 4096 > account.key

openssl genrsa 4096 > domain.key

生成域名 csr 文件 "生成域名 csr 文件")生成域名 csr 文件

单域名

openssl req -new -sha256 -key domain.key -subj "/CN=www.yoursite.com" > domain.csr

多域名

ln -s /etc/pki/tls/openssl.cnf /etc/ssl/openssl.cnf

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config domain.csr

配置 Web 站点的 challenge 文件 "配置 Web 站点的 challenge 文件")配置 Web 站点的 challenge 文件

mkdir -p /var/www/challenges/

#example for nginx

server {

listen 80;

server_name yoursite.com www.yoursite.com;

location /.well-known/acme-challenge/ {

alias /var/www/challenges/;

try_files $uri =404;

}

...the rest of your config

}

生成 signed 文件 "生成 signed 文件")生成 signed 文件

wget -c https://raw.githubusercontent.com/yangphere/acme-tiny/master/acme_tiny.py --no-check-certificate

python acme_tiny.py --account-key /etc/ssl/letsencrypt/account.key --csr /etc/ssl/letsencrypt/domain.csr --acme-dir /var/www/challenges/ > /etc/ssl/letsencrypt/signed.crt

生成证书链 "生成证书链")生成证书链

v1 版，兼容性差点

wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/ssl/letsencrypt/intermediate.pem

cat /etc/ssl/letsencrypt/signed.crt /etc/ssl/letsencrypt/intermediate.pem > /etc/ssl/letsencrypt/chained.pem

建议使用 v3 版

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /etc/ssl/letsencrypt/intermediate.pem

cat /etc/ssl/letsencrypt/signed.crt /etc/ssl/letsencrypt/intermediate.pem > /etc/ssl/letsencrypt/chained.pem

生成 dh 证书 "生成 dh 证书")生成 dh 证书

openssl dhparam -out dhparam.pem 2048

配置 nginx 使 SSL 证书生效 "配置 nginx 使 SSL 证书生效")配置 nginx 使 SSL 证书生效

server {

listen 443;

server_name yoursite.com, www.yoursite.com;

ssl on;

ssl_certificate /etc/ssl/letsencrypt/chained.pem;

ssl_certificate_key /etc/ssl/letsencrypt/domain.key;

ssl_session_timeout 5m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;

ssl_session_cache shared:SSL:50m;

ssl_dhparam /etc/ssl/letsencrypt/dhparam.pem;

ssl_prefer_server_ciphers on;

...the rest of your config

}

server {

listen 80;

server_name yoursite.com, www.yoursite.com;

location /.well-known/acme-challenge/ {

alias /var/www/challenges/;

try_files $uri =404;

}

...the rest of your config

}

重启 nginx 服务 "重启 nginx 服务")重启 nginx 服务

service nginx reload

自动生成 SSL 证书 "自动生成 SSL 证书")自动生成 SSL 证书

由于 Let’s Encrypt 的证书只有 90 天的有效期，需要使用系统每个月生成一次。编辑 renew_cert.sh 文件

以下是 v1 版，兼容性差点

#!/usr/bin/shpython /etc/ssl/letsencrypt/acme_tiny.py --account-key /etc/ssl/letsencrypt/account.key --csr /etc/ssl/letsencrypt/domain.csr --acme-dir /var/www/challenges/ > /etc/ssl/letsencrypt/signed.crt || exit

wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/ssl/letsencrypt/intermediate.pem

cat /etc/ssl/letsencrypt/signed.crt /etc/ssl/letsencrypt/intermediate.pem > /etc/ssl/letsencrypt/chained.pem

service nginx reload

建议使用 v3 版

#!/usr/bin/shpython /etc/ssl/letsencrypt/acme_tiny.py --account-key /etc/ssl/letsencrypt/account.key --csr /etc/ssl/letsencrypt/domain.csr --acme-dir /var/www/challenges/ > /etc/ssl/letsencrypt/signed.crt || exit

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /etc/ssl/letsencrypt/intermediate.pem

cat /etc/ssl/letsencrypt/signed.crt /etc/ssl/letsencrypt/intermediate.pem > /etc/ssl/letsencrypt/chained.pem

service nginx reload

添加可执行权限

chmod +x renew_cert.sh

编辑 crontab 文件

crontab -e

加入如下内容

0 0 1 * * /etc/ssl/letsencrypt/renew_cert.sh 2>> /var/log/acme_tiny.log

重启 crontab 服务

service crond restart

测试一下 SSL 质量 "测试一下 SSL 质量")测试一下 SSL 质量