使用 Let's Encrypt创建免费的https证书,本次操作是在本地电脑上手动生成 phpernote.com 域名的 https 证书,不做自动配置和自动续期,本地 ubuntu 系统。
注意:Let's Encrypt 的证书有效期为 90 天。
1. 更新软件包并安装(如果已安装则跳过)
sudo apt update sudo apt install certbot python3-certbot-nginx # 对于 Nginx
2. 手动申请证书(如果不自动配置)
certonly --standalone -d phpernote.com -d www.phpernote.com
-d 参数指定域名,支持指定多个域名,本次指定 phpernote.com 和 www.phpernote.com 两个域名。
注意:standalone 模式会临时启动一个 Web 服务器来完成验证,所以申请之前需要先停掉本地占用 80 端口的应用程序,多半是 nginx,如果不停掉,会报类似如下错误:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for phpernote.com
http-01 challenge for www.phpernote.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
申请过程中 Certbot 会询问你几个问题,例如:
输入电子邮件地址:用于接受到期通知。
是否同意服务条款。
选择自动重定向 HTTP 到 HTTPS(推荐选择自动重定向)。
3. 去域名控制面板手动添加 DNS 记录
3.1 使用 DNS-01 申请证书
certbot certonly --manual --preferred-challenges dns -d phpernote.com -d www.phpernote.com
会生成一堆类似下面的提示:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for phpernote.com
dns-01 challenge for www.phpernote.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.phpernote.com with the following value:
7mnyoK7vRt6fu7T6yzPSf1hIkfnX7WBNhdgzeNeC2C4
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
3.2 去域名控制面板手动添加 DNS 记录
根据上面的提示添加一条如下的 txt 记录
_acme-challenge.phpernote.com TXT 7mnyoK7vRt6fu7T6yzPSf1hIkfnX7WBNhdgzeNeC2C4
添加完毕,等待大约 10 分钟,然后敲 enter 按键继续,就会生成如下信息:
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/phpernote.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/phpernote.com/privkey.pem
Your cert will expire on 2025-01-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
到这里就代表证书文件生成成功了,证书文件地址:
/etc/letsencrypt/live/phpernote.com/fullchain.pem
私钥文件地址:
/etc/letsencrypt/live/phpernote.com/privkey.pem
4. 改名并上传到服务器
scp /etc/letsencrypt/live/phpernote.com/fullchain.pem root@123.56.71.70:/home/www/cert/phpernote.com.pem scp /etc/letsencrypt/live/phpernote.com/privkey.pem root@123.56.71.70:/home/www/cert/phpernote.com.key
5. 重启 nginx 服务
service nginx restart