Introduce

Website: https://letsencrypt.org/

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

Install

centos7: run systemctl stop firewalld,make sure 443 port is open.

$ sudo yum install epel-release
$ sudo yum install certbot
$ ~/lnmp stop
$ certbot certonly --standalone-supported-challenges http-01 -d cto.rocks -d www.cto.rocks
$ OR certbot certonly --standalone -d cto.rocks -d www.cto.rocks
$ cd /etc/letsencrypt/live/cto.rocks
$ ll
总用量 0
lrwxrwxrwx 1 root root 33 8月   5 18:34 cert.pem -> ../../archive/cto.rocks/cert1.pem
lrwxrwxrwx 1 root root 34 8月   5 18:34 chain.pem -> ../../archive/cto.rocks/chain1.pem
lrwxrwxrwx 1 root root 38 8月   5 18:34 fullchain.pem -> ../../archive/cto.rocks/fullchain1.pem
lrwxrwxrwx 1 root root 36 8月   5 18:34 privkey.pem -> ../../archive/cto.rocks/privkey1.pem
$ cd /usr/local/nginx/conf/vhost/
$ cat cto.rocks.conf
server {
        listen 80;
        server_name cto.rocks www.cto.rocks;
        rewrite ^(.*) https://$server_name$1 permanent;
}
server {
        #listen  80;
        listen  443;
        server_name  cto.rocks www.cto.rocks;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/cto.rocks/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/cto.rocks/privkey.pem;
# nginx version > 1.3.7
#       ssl_stapling on;
#       ssl_stapling_verify on;
#       ssl_trusted_certificate /etc/letsencrypt/live/cto.rocks/chain.pem;
        access_log /home/wwwlogs/access_ctorocks.log;
$ 43 5 * * 1 /opt/letsencrypt/letsencrypt-auto renew --quiet --post-hook "service nginx reload" >> /var/log/le-renew.log

reference

  1. http://letsencrypt.readthedocs.io/en/latest/using.html

  2. https://bjornjohansen.no/lets-encrypt-for-nginx

  3. https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx

  4. https://certbot.eff.org/docs/using.html#plugins

  5. https://bjornjohansen.no/lets-encrypt-for-nginx