使用certbot便捷管理网站lets-encrypt证书

fanyixinwen

不管是通信安全还是搜素引擎收录需要，SSL证书现在基本是建站的标配了。除了通过宝塔等面板申请和管理Let’s Encrypt证书，现在也可以通过certbot，非常简便。

官网：
https://certbot.eff.org/lets-encrypt/debianjessie-nginx

根据自己使用的网页服务器类型和操作系统，系统会自动匹配相应代码：

然后按照页面提示一步步操作就行了。

---

下面以nginx和Debian9为例说明：

• 移除系统已有的certbot:

apt-get remove certbot

• 安装certbot：

wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto

• 自动申请证书并整合进入nginx：

/usr/local/bin/certbot-auto --nginx

具体安装中，会要求输入邮箱，同意协议、订阅EFF信息，并确认域名、是否强制跳转https。

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/translatorsnews.com.conf

注意证书的保存位置和到期日：

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/translatorsnews.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/translatorsnews.com/privkey.pem
   Your cert will expire on 2020-05-07.

• 最后设置证书自动更新：

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null

现在打开网站看看，是不是已经有小锁了？

你还可以通过这个网站进一步验证网站的安全性: https://www.ssllabs.com/ssltest/