# yum install mod_ssl openssl
# mkdir /home/crt/
# cd /home/crt/
复制
https://github.com/diafygi/acme-tiny
acme_tiny.py
到/home/crt/
yoursite—>站点名称
# mkdir yoursite/www/
# cd yoursite
//创建Let’s Encrypt私钥
# openssl genrsa 4096 > account.key
# openssl genrsa 4096 > domain.key
#单域名CSR用如下命令
#openssl req -new -sha256 -key domain.key -subj “/CN=yoursite.com” > domain.csr
#多域名CSR用如下命令(一般都至少要为根域和WWW申请证书吧)
接下来需要使用openssl.cnf文件,先查找自己该文件的位置
#locate openssl.cnf
CentOS下的文件位置在/etc/pki/tls/openssl.cnf
#
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr
#
设置该目录下面 www 文件夹权限为777
chmod -R 777 www
修改http.conf,红色为修改部分
<VirtualHost *:80>
DocumentRoot "/var/www/yoursite"
ServerName www.yoursite.com
ServerAlias yoursite.com
<Directory "/var/www/yoursite">
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
Alias /.well-known/acme-challenge "/home/crt/yoursite/www"
<Directory "/home/crt/yoursite/www">
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
#systemctl restart httpd.service
# cd /home/crt/
vi renew_cert.sh
==========红字为sh内容
function getCrt()
{
BASURL=/home/crt/
python ${BASURL}\/acme_tiny.py --account-key ${BASURL}${1}\/account.key --csr ${BASURL}${1}\/domain.csr --acme-dir ${BASURL}${1}\/www/ > ${BASURL}${1}\/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > ${BASURL}${1}\/intermediate.pem
cat ${BASURL}${1}\/signed.crt ${BASURL}${1}\/intermediate.pem > ${BASURL}${1}\/chained.pem
}
getCrt yoursite
sudo systemctl restart httpd.service
#chmod +x renew_cert.sh
#sh renew_cert.sh
自动生成证书
删除 ssl.conf
中
修改http.conf,增加红字部分
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "/var/www/yoursite"
ServerName www.yoursite.com
ServerAlias yoursite.com
SSLEngine on
SSLHonorCipherOrder on
# 禁止SSLv2 SSLv3协议
SSLProtocol all -SSLv2 -SSLv3
#禁止RC4,禁止SF
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /home/crt/yoursite/signed.crt
SSLCertificateKeyFile /home/crt/yoursite/domain.key
SSLCertificateChainFile /home/crt/yoursite/chained.pem
<Directory "/var/www/yoursite">
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
#systemctl restart httpd.service
访问 https://www.yoursite.com
可以在项目目录下创建.htaccess 来强制http 访问到https访问
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
添加到定时任务中
crontab -e
//添加任务
0 0 1 * * /usr/bin/bash /home/crt/renew_cert.sh
sudo systemctl restart crond.service