`Let's Encrypt` 是一个`免费`、`开放`，`自动化`的`证书颁发机构`。我们可以从这取得一个证书为网站启用https

安装cerbot

官方推荐我们使用cerbot客户端
我这里使用的是centos-7系统

yum install -y cerbot

若yum仓库无cerbot
则尝试

yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

yum install python2-certbot-nginx

安装中可能出现的问题

解决方案

1.安装python-urllib3

wget http://vault.centos.org/7.7.1908/os/Source/SPackages/python-urllib3-1.10.2-7.el7.src.rpm
rpm -ivh python-urllib3-1.10.2-7.el7.src.rpm

pip install --upgrade setuptools

pip install requests urllib3 pyOpenSSL --force --upgrade

pip install requests==2.6.0

获取证书

有两种情况

网站已经在运行了

那么使用webroot模式

sudo certbot certonly --webroot -w /var/www/example -d example.com

项目不是一个网站而是服务

可以使用standalone模式

sudo certbot certonly --standalone -d example.com

完成后提示如下

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will

expire on 2018-02-08. To obtain a new version of the certificate in

the future, simply run Let's Encrypt again.

- If you like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate

Donating to EFF:                    https://eff.org/donate-le

证书生成目录为/etc/letsencrypt/live/下域名对应目录下

注意：获取证书时可以先关闭防火墙，然后确保80、443端口没有被占用(关闭nginx)

配置https

此处以nginx 为例

server{
    listen 80;
	server_name example.com;
	rewrite ^/(.*) https://$server_name/$1 permanent;	
}

server {
	listen 443;
        server_name example.com;
        ssl on;
        ssl_certificate   /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
}

如出现the "ssl" parameter requires ngx_http_ssl_module错误,则需要安装https模块
进入nginx源码目录

./configure --with-http_ssl_module
make

然后将objs目录下nginx文件替换安装目录下的文件
重启nginx

刷新证书

Let's Encrypt 提供的证书只有 90 天的有效期
我看可以使用如下命令刷新证书时间

certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

也可以写个定时任务自动刷新,如使用crontab