Let's Encrypt is used for free SSL certificate application.
1. Let's Encrypt is a public free SSL project in foreign countries, which is hosted by Linux foundation and initiated by Mozilla, Cisco, Akamai, IdenTrust, EFF and other organizations.
2. The Let's Encrypt certificate is valid for three months and needs to be renewed every three months.
3. Let's Encrypt registers the main domain name authentication frequency of 20 times / week, and the same domain name is repeatedly authenticated 5 times / week.
Under Linxu, certbot can be used as the signing certificate.
Certbot's official website address: https://certbot.eff.org/
1. Tool preparation
wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto
certbot works in two ways:
(1) , standalone mode: certbot will run a web server to verify. If we already have a web server running on our own server (such as Nginx or Apache), we need to turn it off in standalone mode to avoid conflicts.
(2) , web root mode: certbot will use the existing web server to create hidden files under its Web root directory, and Let's Encrypt server will access these hidden files through the domain name to confirm that you do have the control right of the corresponding domain name.
2. Use certbot auto command to generate certificate
./certbot-auto certonly --webroot -w /usr/local/nginx/html/ -d aaa.sunwukong.cn -d bbb.sunwukong.cn -d ccc.sunwukong.cn -d dddd.sunwukong.cn
/usr/local/nginx/html / is the web directory of nginx
aaa.suwukong.cn is a domain name that needs to apply for a certificate. You can fill in multiple subdomains. Change your domain name here.
3. During the execution of the command, you need to enter the email address, confirmation and other information. Enter Y or YES directly.
4. After execution, generate the certificate as follows:
# tree /etc/letsencrypt/ /etc/letsencrypt/ ├── accounts │ ├── acme-staging-v02.api.letsencrypt.org │ │ └── directory │ └── acme-v02.api.letsencrypt.org │ └── directory │ └── 009533753e7a6b7f6b27db646b9327da │ ├── meta.json │ ├── private_key.json │ └── regr.json ├── archive │ └── mapp.sunwukong.cn │ ├── cert1.pem │ ├── chain1.pem │ ├── fullchain1.pem │ └── privkey1.pem ├── csr │ └── 0000_csr-certbot.pem ├── keys │ └── 0000_key-certbot.pem ├── live │ └── mapp.sunwukong.cn │ ├── cert.pem -> ../../archive/mapp.sunwukong.cn/cert1.pem │ ├── chain.pem -> ../../archive/mapp.sunwukong.cn/chain1.pem │ ├── fullchain.pem -> ../../archive/mapp.sunwukong.cn/fullchain1.pem │ ├── privkey.pem -> ../../archive/mapp.sunwukong.cn/privkey1.pem │ └── README ├── renewal │ └── mapp.sunwukong.cn.conf └── renewal-hooks ├── deploy ├── post └── pre
5. Nginx configuration
server { listen 443 ssl; server_name mapp.sunwukong.cn; ssl_certificate /etc/letsencrypt/live/mapp.sunwukong.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mapp.sunwukong.cn/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } location /api/ { proxy_pass http://127.0.0.1:8080; } location = /favicon.ico { log_not_found off; access_log off; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
6. Start nginx or reload
nginx -s reload
7. Access authentication
