安装certbot
https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
执行
certbot certonly -d *.xxx.com -d xxx.com –manual –preferred-challenges dns –server https://acme-v02.api.letsencrypt.org/directory
提示信息
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.
Are you OK with your IP being logged?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o: Y 此处输入Y
Please deploy a DNS TXT record under the name
_acme-challenge.xxx.com with the following value:
RqOr5idxUl8rMAoDRpkR0AsYrJArylF-xy398Lk4gko
Before continuing, verify the record is deployed.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Press Enter to Continue
这里的意思是需要去域名提供商处解析一个TXT记录 ,前缀是_acme-challenge
,并且主机地址是:RqOr5idxUl8rMAoDRpkR0AsYrJArylF-xy398Lk4gko
在这个记录生效之后在按回车键继续。
Please deploy a DNS TXT record under the name
_acme-challenge.jht-jewelry.cn with the following value:
2ax5DCUdIoKiwox2MPOrbPR8ps-8rlmPwLsgaXIhifA
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Press Enter to Continue
跟上一步一样,再去解析一个txt记录, 前缀是_acme-challenge ,主机地址是:2ax5DCUdIoKiwox2MPOrbPR8ps-8rlmPwLsgaXIhifA
不要把上一步解析的txt记录覆盖或者删除。
成功后的提示信息:
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jht-jewelry.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jht-jewelry.cn/privkey.pem
Your cert will expire on 2019-03-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate
恭喜,证书申请成功 该证书会在 2019-03-25到期 (默认有效期只有三个月)
生成成功之后在/etc/letsencrypt/live/xxx.com 里面会有相应的证书软连接
| cert.pem | 服务端证书 |
| chain.pem | 浏览器需要的所有证书但不包括服务端证书,比如根证书和中间证书 |
| fullchain.pem | 包括了cert.pem和chain.pem的内容 |
| privkey.pem | 证书的私钥 |
一般情况下fullchain.pem和privkey.pem就够用了
Nginx 配置SSL
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;