1、安装
官方安装方式
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-nginx
2、生成证书
$ sudo certbot –nginx
注意:执行命令后按照提示输入参数,直接下一步,最后会有重要提示,包含证书存放位置,需要记住,用于配置nginx、apache、tomcat等
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/123.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ 123.com /privkey.pem
Your cert will expire on 2019-08-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
3、自动更新
最后一步,就是证书的自动续期了。Let’s Encrypt的证书,默认的有效期是90天,不过官方推荐每60天续期。到期之后,我们需要用命令来为证书续期,不过我们是懒人,这种体力活还是交给机器来完成比较合适。所以,我们可以用Linux的cron job来完成这类的任务,配置cron job,每两个月的第一天,执行下面的命令:
vi /etc/crontab
0 0 1 */2 * certbot renew –post-hook “systemctl reload nginx ” –post-hook “systemctl reload apache2”
注意在cron job里面需要用绝对路径
4、nginx配置参考 「Nginx 反向代理https配置」
