Modify by lyc at 2020-3-28
参考博文:
letsencrypt官网
Certbot官网
HTTPS-Certbot

1.Cerbot 安装

CentOS7 + Nginx + letsencrypt Cerbot

  • letsencrypt Cerbot + Nginx 生成免费的https证书
  • CA的证书提供商有许多个,有收费的有免费的,而 letsencrypt 就是其中之一的免费提供商
  • letsencrypt 安装免费证书的工具是Certbot
  • Certbot需要为每个站点独立配置证书,证书有效期为90天

安装

1
2
3
4
$ yum install -y epel-release
$ yum install -y yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
$ yum install -y certbot python2-certbot-nginx

Nginx软链接

因为我们的Nginx是编译安装的,所以要配置Nginx的二进制文件和配置文件目录做软链接供 Cerbot 读取。

1
2
$ ln -s /usr/local/nginx/sbin/nginx /usr/local/bin
$ ln -s /usr/local/nginx/conf/ /etc/nginx

Nginx Vhosts 配置

Cerbot 生成站点证书前提:

  • 站点需要dns解析到本机服务器
  • 站点配置到nginx的vhost
1
2
3
$ cd /usr/local/nginx/conf/vhosts/
$ ll
-rw-r--r-- 1 nginx nginx 1445 Mar 28 18:01 test1.lyc7456.com.conf

2.Cerbot 首次生成证书

两个生成证书的命令供使用

1
2
3
4
5
6
7
$ certbot --nginx               # 安装证书,自动编辑Nginx配置以为其提供服务
$ certbot certonly --nginx      # 仅安装证书,手动配置Nginx

# 非交互式获取证书
$ systemctl stop nginx
$ certbot certonly --standalone --agree-tos --register-unsafely-without-email -d v7ibf.serral.ml
$ systemctl start nginx

Cerbot 首次生成证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
$ certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): lyc7456@qq.com         # 输入邮箱地址
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A             # 同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: test1.lyc7456.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1          # 选择一个当前nginx下的站点域名
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test1.lyc7456.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/test1.lyc7456.com/fullchain.pem            # 证书
   Your key file has been saved at:
   /etc/letsencrypt/live/test1.lyc7456.com/privkey.pem
   Your cert will expire on 2020-06-26. To obtain a new or tweaked  # 证书密钥
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3.Nginx添加ssl配置

nginx的vhosts配置,可以通过 certbot –nginx 创建证书时自动添加配置

https

1
2
3
4
5
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/test1.lyc7456.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/test1.lyc7456.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

http强制跳转https

1
2
3
4
5
6
7
8
9
10
11
server
{
    if ($host = test1.lyc7456.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen  80;
    server_name test1.lyc7456.com;
    return 404; # managed by Certbot

}

4.Cerbot renew证书

1
2
$ crontab -l
0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx