实现nginx上配置免费证书Let's Encrypt

Let's Encrypt 的免费证书有效期为三个月，不过可以免费续期，写一个脚本定期更新即可。

准备一台nginx 服务器 ，将以下三个附件上传到你的nginx服务器。

1、下载脚本文件，wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh//记得给予脚本755权限chmod +x letsencrypt.sh，letsencrypt.sh 是自动获取证书的脚本，无需更改其中代码。

2、下载脚本配置文件，wget  https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf，这里除了ACCOUNT_KEY 参数无需更改外，其他三个更改成你自己的，DOMAINS参数填入你的域名，DOMAIN_DIR  注意这个地方一定要和域名的配置目录保持一致，否则生成证书会出错。（这里很重要，如果这里没设置好会报以下错误）

Generate account key...Generating RSA private key, 4096 bit long modulus.....................................................................++...........++e is 65537 (0x10001)Generate domain key...Generating RSA private key, 2048 bit long modulus.........+++.........................+++e is 65537 (0x10001)Generate CSR...cptest.csrParsing account key...Parsing CSR...Registering account...Registered!Verifying cptest.xxx.com...Traceback (most recent call last):  File "/tmp/acme_tiny.py", line 198, inmain(sys.argv[1:])

File "/tmp/acme_tiny.py", line 194, in main

signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)

File "/tmp/acme_tiny.py", line 123, in get_crt

wellknown_path, wellknown_url))

ValueError: Wrote file to /data/wwwroot/testing/testing_server_test/.well-known/acme-challenge/wRf1bolKp92cX4YdHKIEMf9DxGhtnP6GvvOvB6rY2F0, but couldn't download http://cptest.xxx.com/.well-known/acme-challenge/wRf1bolKp92cX4YdHKIEMf9DxGhtnP6GvvOvB6rY2F0

3、执行脚本 ./letsencrypt.sh letsencrypt.conf 生成证书，如配置正确，执行成功后，最后会出现一句：New cert: ps_beefblock_com.chained.crt has been generated ，代表成功。

4、在nginx上配置SSL:

server{
listen 443 ssl;
ssl_certificate /usr/local/ssl/ps.beefblock.com/ps_beefblock_com.crt;
ssl_certificate_key /usr/local/ssl/ps.beefblock.com/ps_beefblock_com.key;
server_name ps.beefblock.com;
location ^~ /.well-known/  #这里是配合内网穿透做的正则匹配
{
root /opt/zbox; #这里的路径需要和DOMAIN_DIR的一致
}
location / {

proxy_pass http://192.168.5.250; #反向代理
}
}
server {
listen 80;
server_name pms.beliefblock.com;
rewrite ^(.*)$ https://pms.beliefblock.com$1 permanent; #所有http重载至https
}

5、因为Let's Encrypt证书的有效期只有90天，所以我们要定期给他更新，可以用crontab每月执行一次脚本更新：

0 0 1 * * /usr/local/ssl/ps.beefblock.com/letsencrypt.sh