開發需要做一個小後臺,但是需要https訪問,Let's Encrypt也蠻好用的。
系統環境:
Centos7.3 nginx1.10.2
安裝:
yum install -y epel-release
yum install -y certbot
做好相應域名比如abc.com的解析;
方法1:在網站根目錄下創建一個.well-known的目錄
方法2:
某次運行命令以後報錯:An unexpected error occurred:
ValueError: Extra data: line 1 column 77 - line 38 column 1 (char 76 - 1828)
Please see the logfiles in /var/log/letsencrypt for more details.
按照方法2來的:
mkdir -p /etc/nginx/cert/.well-known
ln -s /etc/nginx/cert/.well-known /data/gop/gop.abc.com/.well-known
cd /data/gop/
ll
.well-known -> /etc/nginx/cert/.well-known/
certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com
命令執行:
certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com
根據提示進行操作,一般可以正常生產證書文件。
可以默認的nginx目錄直接操作,當時在/data/gop/創建了個文件夾,準備放這個文件夾下面。
2.
certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 你的email續期不成功會提示你續期;
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for tng.abc.com
Using the webroot path /etc/nginx/cert for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ gop.abc.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/gop.abc.com/privkey.pem
Your cert will expire on 2018-05-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
證書文件的目錄存放在: '/etc/letsencrypt/live/example.com/'
會有4個文件:
cert.pem
chain.pem
fullchain.pem
privkey.pem
特別要注意,這條命令只會將生成的證書放在這個目錄,不會有一個/etc/letsencrypt/live/ gop.abc.com /目錄,gop.abc.com的證書,具體看後面的nginx配置。
3.
nginx配置類似這樣的:
server {
listen 443 ssl http2;
server_name example.com;
index index.html index.htm index.php;
root /data/www/example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
access_log off;
}
server {
listen 443 ssl http2;
server_name test.example.com;
index index.html index.htm index.php;
root /data/www/test.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
access_log off;
}
具體配置:nginx和tomcat配合反向代理tomcat
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
client_max_body_size 8M;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
upstream app {
server localhost:9089;
}
server {
listen 80;
server_name gop.abc.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
ssl on;
server_name gop.abc.com;
ssl_certificate /etc/letsencrypt/live/ gop.abc.com /fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ gop.abc.com /privkey.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECD************';
ssl_prefer_server_ciphers on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
#include proxy_params;
proxy_pass http://app;
#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
#proxy_redirect http:// https://;
proxy_redirect http:// $scheme://;
# allow 11.11.11.11;
# allow 22.22.22.22;
# deny all;
}
}
}
4.定期更新
crontab -e # 新增如下定時任務
10 6 * * * /bin/certbot renew --quiet &>/dev/null
Let's Encrypt 的證書有效期爲90天,如果證書的有效期大於30天,則上面命令不會真的去更新證書的。
https測試
在瀏覽器輸入 https://gop.abc.com 網址進行驗證,一般Chrome會有一個綠色的鎖以及Secure標示。
原url:
https://www.cnblogs.com/mawang/p/6758728.html
以上做一個小小筆記以後參考。
PS:續期的問題收到續期郵件了,
原來用/bin/certbot renew 會報錯:
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gop.abc.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: gop.abc.com
Type: unauthorized
Detail: Invalid response from
http://gop.abc.com/.well-known/acme-challenge/dyWcllqMylBGnpdhsa8MTq0B1yl_HabaBanjj11s:
"<!DOCTYPE html><html><head><title>
report</title><style type="text/css">H1 {font-family:Tahoma,Arial"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
查日誌看log tail -100f /var/log/letsencrypt/letsencrypt.log看不出頭緒,到 Let's Encrypt看了半天也沒似乎有那麼點明白也沒明白,後來關掉nginx試了一下這個命令:
certbot renew --standalone
居然成功了!
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/gop.abc.com/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/gop.abc.com/fullchain.pem (success)
-------------------------------------------------------------------------------