0 Let's Encrypt介紹

Let's Encrypt是一家免費、開放、自動化的證書頒發(fā)機構（CA），

為公眾的利益而運行（由非盈利組織互聯網安全研究小組（ISRG）運營）。

1 安裝Let's Encrypt

git clone https://github.com/letsencrypt/letsencrypt

2 生成通配符證書

cd letsencrypt

或者 cd certbot

./certbot-auto certonly? -d *.huchangyi.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

./certbot-auto certonly? -d *.huchangyi.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

3 域名服務商新增DNS

配置一條 TXT 記錄

4 證書續(xù)簽

crontab -e

0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"

5 證書路徑

/etc/letsencrypt/live/

6 nginx配置

ssl_certificate /etc/letsencrypt/live/huchangyi.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/huchangyi.com/privkey.pem;

7 取消證書

certbot revoke --cert-path /etc/letsencrypt/live/you.cn/cert.pem

certbot delete --cert-name huchangyi.com