在布局网站ssl证书的是,letsencrypt.org 是一个不错的选择,letsencrypt.org 是一家免费的ssl证书发放机构,可以使用他家的证书免费部署ssl证书,实现网站是https访问。
使用letsencrypt.org 证书,最好的方法是使用certbot 软件进行部署。
其中,certbot -auto是一个爽歪歪的命令,省时省力,操作简便。
但是,总免不了有一些不能使用certbot -auto部署证书的情况,比如:使用第三方管理面板管理服务器,使用非标准的网站环境配置导致certbot不能正确识别domain的文件·······那么可以尝试手动部署证书的模式。
certbot certonly –manual
具体实现方法:
在机器上安装certbot,然后命令行生成证书。
[root@localhost certbot_apache]# certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): domain.com 【输入要生成证书的域名】
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?【确认生成证书的机器的IP是域名解析到的IP地址】
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
hbr-OUM1OggoBYNbWYh6I0ifVxR4FAx8ZFAKE5P9uAE.ynRkKnAuShvO5L5-Bsi1zFZOwAOwPnmTNwNr91W5lQY【验证字符串】
And make it available on your web server at this URL:
http://domain.com/.well-known/acme-challenge/hbr-OUM1OggoBYNbWYh6I0ifVxR4FAx8ZFAKE5P9uAE【按照提供的目录结构,创建2个文件夹一个文件,在文件中填入上面的验证字符串】
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2020-01-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[root@localhost certbot_apache]#
至此,证书生成完毕,然后就可以进行手动部署证书了。