Mozilla、思科、Akamai、IdenTrust、EFF 和密歇根大学研究人员联合宣布了 Let’s Encrypt CA 项 目,计划为网站提供免费的基本 SSL 证书,以加速互联网从 HTTP 向 HTTPS 过渡。Let’s Encrypt CA 将由非赢利组织 Internet Security Research Group (ISRG) 运营,今天12月4日凌晨项目正式进入公测阶段,遂赶紧进行申请试用一下。
之前我申请证书都是用BS方式,这次是CS方式,感觉挺新鲜。
我的服务器环境 centos6.6
要安装python2.7,2.6在申请时会报错
下载地址 https://www.python.org/downloads/release/python-2710/
wget tar zxf Python-2.7.10.tgz cd Python-2.7.10 ./configure make && make install #把系统python命令指到新版本 which python /usr/local/bin/python rm /usr/local/bin/python ln -s /usr/local/bin/python2.7 /usr/local/bin/python
2.下载letsencrypt客户端
yum install -y git git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt ./letsencrypt-auto --help Updating letsencrypt and virtual environment dependencies....... Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ... The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server revoke Revoke a previously obtained certificate rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication (nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, install, nginx, apache, standalone, webroot, etc)
3.客户端可以为你提供申请+全自动安装apache/nginx等一条龙服务,这里我选择DIY,只申请,不用麻烦客户端了,执行以下命令
./letsencrypt-auto certonly --manual
输入你的域名
提示是否同意他们记录你这次请求的ip地址,同意
这一步是验证域名所有权,很关键
这一步的意思是,客户端将访问http://www.example.com/.well-known/acme-challenge/xiDWA8FkdWeTua7MIXBpQ3PeLt8jVu5Eimi4-jPsTHs 看看输出是不是 xiDWA8FkdWeTua7MIXBpQ3PeLt8jVu5Eimi4-jPsTHs.MOcybE5RrQ_NsGgFybrHkVcTSohWn2z0JDfTtQkHKQE
我是提前装了nginx服务器,那么只需要在我的网站根目录下创建目录和对应内容的文件,在公网能访问得到就可以了。
cd /wwwroot/ mkdir -p ./.well-known/acme-challenge/ echo xiDWA8FkdWeTua7MIXBpQ3PeLt8jVu5Eimi4-jPsTHs.MOcybE5RrQ_NsGgFybrHkVcTSohWn2z0JDfTtQkHKQE>./.well-known/acme-challenge/xiDWA8FkdWeTua7MIXBpQ3PeLt8jVu5Eimi4-jPsTHs 试试获取一下输出正常了没 curl 若正常,按回车。(如果还没装web服务器的话可以按照提示执行#run only once per server下面的命令)
4.证书获取成功
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-03-03. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
后面再发一篇博文讲述如何使用这个证书。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
