使用certbot在nginx搭建HTTPS
certbot
certbot官⽹
apache配置文档
安装证书自动工具 certbot
yum install -y epel-release yum -y install yum-utils yum-config-manager --enable rhui-REGION-rhel-server-extras rhuiREGION-rhel-server-optional sudo yum install certbot # sudo certbot certonly
如果执行certbot报错
## pkg_resources.DistributionNotFound: The 'urllib3<1.23,>=1.21.1' distribution was not found and is required by requests rm /usr/lib/python2.7/site-packages/urllib3* -rf python2.7 -m pip install urllib3 ## ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.pip show pyOpenSSL yum remove certbot pyOpenSSL pip uninstall pyOpenSSL yum install -y python-devel yum install -y openssl-devel pip install certbot certbot certificates
配置Nginx
vi /usr/local/nginx/conf/nginx.conf [In server{}] location ^~/.well-known/acme-challenge/ { default_type "text/plain";root /data/www;} service nginx reload
申请证书
Web+FS服务器器 192.168.1.152
certbot certonly --webroot \-w /data/www \-d <域名> \-d <域名> \-d <域名>
[root@izuf6b281zcjzt94z7ikdlz nginx]# certbot certonly --webroot -w /data/www -d <域名> -d <域名> -d <域名> -d <域名> -d <域名>Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator webroot, Installer None- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -You have an existing certificate that contains a portion of the domains yourequested (ref: /etc/letsencrypt/renewal/<域名>)It contains these names: <域名>,<域名>, <域名>You requested these names for the new certificate: <域名>,<域名>, <域名>,<域名>, <域名>.Do you want to expand and replace this existing certificate with the newcertificate?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(E)xpand/(C)ancel: ERenewing an existing certificatePerforming the following challenges:http-01 challenge for <域名>http-01 challenge for <域名>Using the webroot path /data/www for all unmatched domains.Waiting for verification...Cleaning up challengesIMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/<域名>/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/<域名>/privkey.pemYour cert will expire on -12-27. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew *all* of your certificates, run"certbot renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: /donateDonating to EFF:/donate-le
证书自动更新
certbot renew
该命令尝试续订在30天内到期的所有先前获得的证书。除非您指定其他插件或选项,否则将使用与最初颁发证书时使用的插件和选项相同的插件和选项。不同于certonly,它renew作用于多个证书,并始终考虑每个证书是否即将到期。因此,renew适合(并设计为)自动使用,以允许系统在适当时自动续订每个证书。由于renew仅更新即将到期的证书,因此可以根据需要频繁运行它-因为通常不会采取任何措施。
该renew命令包括在证书更新之前或之后运行命令或脚本的挂钩。例如,如果您具有使用独立插件获得的单个证书,则可能需要在更新之前停止Web服务器,以便独立服务器可以绑定到必要的端口,然后在插件完成后重新启动它。例:
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
如果钩子以非零退出代码退出,则错误将被打印到,stderr但无论如何都会尝试进行更新。失败的挂钩不会直接导致Certbot以非零的退出代码退出,但是由于续订失败时Certbot会以非零的退出代码退出,因此导致续约失败的失败的挂钩将间接导致退出代码为非零。挂钩仅在证书需要更新时才运行,因此您可以频繁运行上述命令而不必停止网络服务器。
当Certbot检测证书到期更换,–pre-hook 和–post-hook挂钩之前运行,每次尝试后续订。如果您希望挂钩仅在成功续订后才能运行,请–deploy-hook在这样的命令中使用 。
certbot renew --deploy-hook /path/to/deploy-hook-script
/path/to/deploy-hook-script
#!/bin/shset -efor domain in $RENEWED_DOMAINS; docase $domain )daemon_cert_root=/etc/some-daemon/certs# Make sure the certificate and private key files are# never world readable, even just for an instant while# we're copying them into daemon_cert_root.umask 077cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.cert"cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"# Apply the proper file ownership and permissions for# the daemon to read its certificate and key.chown some-daemon "$daemon_cert_root/$domain.cert" \"$daemon_cert_root/$domain.key"chmod 400 "$daemon_cert_root/$domain.cert" \"$daemon_cert_root/$domain.key"service some-daemon restart >/dev/null;;esacdone
certbot renew --dry-run # 添加linux定时器vi /etc/crontab# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed32 3 * * * root /usr/bin/certbot renew 1>>/data/logs/crontab/certbot-auto.log 2>&1 35 3 * * 1 root /usr/sbin/service nginx reload 1>>/data/logs/crontab/nginx-reload.log 2>&1# 或者自己编写load Nginx脚本# 35 3 * * 1 root /usr/local/nginx/loadNginx.sh 1>>/data/logs/crontab/nginx-reload.log 2>&1echo "exec ./sbin/nginx -s reload" > loadNginx.shchmod +x /usr/local/nginx/loadNginx.sh
配置nginx https
http{ ... ssl_certificate/etc/letsencrypt/live/<域名>/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/<域名>/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/<域名>/chain.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; server { ... listen 443 ssl; ... } }
查看证书
certbot certificatesSaving debug log to /var/log/letsencrypt/letsencrypt.log- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Found the following certs:Certificate Name: <域名>Domains: <域名> <域名> <域名> <域名> <域名>Expiry Date: -12-27 12:29:17+00:00 (VALID: 89 days)Certificate Path: /etc/letsencrypt/live/<域名>/fullchain.pemPrivate Key Path: /etc/letsencrypt/live/<域名>/privkey.pem- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
附录1:Nginx补安装https模块
cd /data/install-pkg/nginx-1.8.0 ./configure --user=www --prefix=/usr/local/nginx --withhttp_ssl_module --error-log-path=/data/logs/nginx/error.log --httplog-path=/data/logs/nginx/access.log make cd /usr/local/nginx/sbin cp nginx nginx_bak service nginx stop ps -ef | grep nginx (如果有,杀进程) cp /data/install-pkg/nginx-1.8.0/objs/nginx ./ service nginx start
附录2:参考nginx.conf
user www www;worker_processes 2;worker_cpu_affinity 1010 0101;error_log /data/logs/nginx_error.log crit;pid /var/run/nginx.pid;events { use epoll; worker_connections 65535;}http { include mime.types; default_type application/octet-stream; charset utf8; #access_log logs/access.log main; #定义访问⽇日志的写⼊入格式 log_format access '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $http_x_forwarded_for $host $upstream_response_time $request_time'; access_log /data/logs/nginx_access.log access; #设定请求缓冲server_names_hash_bucket_size 128;client_header_buffer_size 32k;large_client_header_buffers 4 32k;client_max_body_size 300m;sendfile on;tcp_nopushon;keepalive_timeout 60;tcp_nodelay on;client_body_buffer_size 512k;####下⾯面这段要添加上去的proxy_connect_timeout 5;proxy_read_timeout 60;proxy_send_timeout 5;proxy_buffer_size16k;proxy_buffers 4 1024k;proxy_busy_buffers_size 1024k;proxy_temp_file_write_size 1024k;server_tokens off;#对⽹网⻚页⽂文件、CSS、JS、XML等启动gzip压缩,减少数据传输量量,提⾼高访问速度gzip on;gzip_min_length 1k;gzip_buffers4 16k;gzip_http_version 1.0;gzip_comp_level 2;gzip_types text/plain application/x-javascript text/css application/xml;gzip_vary on;# HTTPS配置ssl_certificate /etc/letsencrypt/live/<域名>/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/<域名>/privkey.pem;ssl_trusted_certificate /etc/letsencrypt/live/<域名>/chain.pem;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers HIGH:!aNULL:!MD5;ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;server {listen 80;listen 443 ssl;server_name <域名>;index index.html index.htm index.jsp index.do default.do default.jsp;root /data/www/front;access_log /data/logs/nginx_access.log access;#所有jsp的⻚页⾯面均交由tomcat处理理location / {proxy_set_header Host "<域名>";proxy_set_header Real-Host $host;proxy_set_header X-Forward-For $remote_addr;proxy_pass http://10.144.82.104:8080;}location ^~ /res/ {rewrite ^(.*)\;jsessionid=(.*)$ $1 break;root /data/www/front/ROOT;}location ^~/.well-known/acme-challenge/ {default_type "text/plain";root /data/www;}location = /favicon.ico {root /data/www;}}server {listen 80;server_name <域名>;index index.html index.htm index.jsp index.do default.do default.jsp;root /data/www/fs;if ( -d $request_filename ) {rewrite ^/(.*)([^/])$ http://$host/$1$2/ permanent;}location / {expires30d;}location ~ .*\.(js|css)?$ {expires1h;}}
