簡介
cerbot是一個(gè)讓你的網(wǎng)站自動(dòng)部署Let's Encrypt頒發(fā)的免費(fèi)數(shù)字證書,使得你的網(wǎng)站支持https。
安裝
在epel-release上面就有對(duì)應(yīng)的安裝包,直接使用yum安裝就可以了。
yum -y install epel-release yum -y install certbot.noarch
配置
如果使用yum安裝的Nginx或者Apache,可以直接執(zhí)行cerbot,程序會(huì)自動(dòng)找到web容器進(jìn)行添加證書,如果是自己編譯的,就需要手動(dòng)生成證書,再進(jìn)行配置。
1、rpm包的nginx
yum -y install nginx
2、配置證書
cerbot run
手動(dòng)配置
生成證書
certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the Appropriate number [1-2] then [enter] (press 'c' to cancel): opcai.top
#這里選擇配置webroot的路徑,或者指定一個(gè)域名,如果網(wǎng)站已經(jīng)建成就直接輸入域名就可以自動(dòng)生成了
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/opcai.top.conf)
證書生成位置
/etc/letsencrypt/live/opcai.top/
證書:cert.pem
私鑰:privkey.pem
配置到對(duì)應(yīng)的web容器配置文件即可。
自動(dòng)更新證書
證書只有三個(gè)月的期限,可以開啟定時(shí)任務(wù)自動(dòng)更新:
systemctl enable certbot-renew.timer
