Let’s Encrypt

Elastic 中文社区的 证书过期了,这次打算试试免费的 Let’s Encrypt 证书服务,不过有效期每次是三个月,需要定期更新。

搜索了一通,相关的命令如下。

#安装 certbot
git clone https://github.com/certbot/certbot
cd certbot
sudo python setup.py install
pip install setuptools
sudo apt install python-pip
pip install setuptools
sudo python setup.py install
certbot plugins
ls
cd certbot-dns-cloudflare
sudo python setup.py install
certbot plugins
ls
cd ..
ls
cd certbot-nginx/
sudo python setup.py install
certbot plugins

#创建配置文件
root@elasticsearch:/etc/letsencrypt# sudo certbot certonly --webroot -w /var/www/html/ -d elasticsearch.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for elasticsearch.cn
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/elasticsearch.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/elasticsearch.cn/privkey.pem
Your cert will expire on 2018-07-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

root@elasticsearch:/etc/letsencrypt# ls /etc/letsencrypt/live/elasticsearch.cn
README cert.pem chain.pem fullchain.pem privkey.pem

root@elasticsearch:/etc/letsencrypt# cd /etc/letsencrypt/live/elasticsearch.cn
openssl dhparam -out dhparam.pem 2048

#Nginx 配置文件
ssl_certificate /etc/letsencrypt/live/elasticsearch.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/elasticsearch.cn/privkey.pem;
ssl_dhparam /etc/letsencrypt/live/elasticsearch.cn/dhparams.pem;

#每周一/半夜2点30分/执行renew任务
sudo crontab -e
30 2 * * 1 /usr/local/bin/certbot renew >> /var/log/le-renew.log