在nginx 使用Let’s Encrypt 免費的SSL/TLS 證書

$ sudo apt-get update
$ sudo apt-get install -y git
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ cd /opt/letsencrypt
$ sudo ./letsencrypt-auto

$ sudoapt-getupdate
$ sudoapt-getinstall -y git
$ sudogitclone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ cd /opt/letsencrypt
$ sudo ./letsencrypt-auto

$ cd /var/www
$ mkdir letsencrypt
$ sudo chgroup www-data letsencrypt

$ cd /var/www
$ mkdirletsencrypt
$ sudochgroupwww-dataletsencrypt

# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = my-domain
# increase key size
rsa-key-size = 2048 # Or 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders
email = my-email
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /var/www/letsencrypt/

# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = my-domain
# increase key size
rsa-key-size = 2048 # Or 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders
email = my-email
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /var/www/letsencrypt/

server {
    listen 80 default_server;
    server_name my-domain;
location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
 ...
}

server {
    listen 80 default_server;
    server_namemy-domain;
location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
 ...
}

$ sudo nginx -t && sudo nginx -s reload

$ sudonginx -t && sudonginx -s reload

$ cd /opt/letsencrypt
$ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/my-domain.conf certonly
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/my-domain/fullchain.pem. Your cert
 will expire on date. To obtain a new version of the
 certificate in the future, simply run Let's Encrypt again.

$ cd /opt/letsencrypt
$ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.confcertonly
Updatingletsencryptand virtualenvironmentdependencies......
Requestingrootprivilegesto runwithvirtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/my-domain.confcertonly
IMPORTANTNOTES:
 - Congratulations! Yourcertificateand chainhavebeensavedat
  /etc/letsencrypt/live/my-domain/fullchain.pem. Yourcert
 willexpireondate. To obtain a new versionofthe
 certificatein thefuture, simplyrunLet's Encryptagain.

server {
    listen 443 ssl default_server;
    server_name my-domain;
ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem;
...
}

server {
    listen 443 ssldefault_server;
    server_namemy-domain;
ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem;
...
}

$ sudo nginx -t && sudo nginx -s reload

$ sudonginx -t && sudonginx -s reload

#!/bin/sh
cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
if [ $? -ne 0 ]
 then
 ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
 echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
 $ERRORLOG
 else
 nginx -s reload
fi
exit 0

#!/bin/sh
cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.confcertonly
if [ $? -ne 0 ]
 then
 ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
 echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
 $ERRORLOG
 else
 nginx -s reload
fi
exit 0

0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh

0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh