非营利组织电子前沿基金会的 CertBot 是一个很好的工具,我们一般可以使用它来安装 Let’s Encrypt。当然如果懒的话也可以去 https://freessl.org/这个网站申请免费的证书,有钱的话也可以申请收费的!
1、安装 Git、BC、EPEL
yum -y install git bc epel-release
2、下载 Let’s Encrypt
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt chmod +x letsencrypt-auto
3、安装证书
./letsencrypt-auto certonly --email 邮箱 -d 网址 //报错时执行下一行 certbot certonly --webroot -w 网站根目录 -d 网址 -m 邮箱 --agree-tos
可能会出现以下错误,这是因为 80 端口被占用,把 nginx 关掉就行了
Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for xxxx.xxxx.com Cleaning up challenges Problem binding to port 80: Could not bind to IPv4 or IPv6.
查看生成的文件,生成的证书位于/etc/letsencrypt/下;live 文件夹里面有证书文件 cert.pem - Apache 服务器端证书 chain.pem - Apache 根证书和中继证书 fullchain.pem - Nginx 所需要 ssl_certificate 文件 privkey.pem - 安全证书 KEY 文件
4、配置 nginx,使 https 生效(下面是完整配置稍微改一下就行了)
server { listen 80; listen 443 ssl; server_name iwhot.com www.iwhot.com; index index.php index.html index.htm default.php default.htm default.html; root /www/wwwroot/iwhot.com; #<a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>-START <a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>相关配置,请勿删除或修改下一行带注释的 404 规则 #error_page 404/404.html; #HTTP_TO_HTTPS_START if ($server_port !~ 443){ rewrite ^(/.*)$ https://$host$1 permanent; } #HTTP_TO_HTTPS_END ssl_certificate /etc/letsencrypt/live/iwhot.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/iwhot.com/privkey.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; ssl_session_cache shared:<a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>:10m; ssl_session_timeout 10m; error_page 497 https://$host$request_uri; limit_conn perserver 300; limit_conn perip 25; limit_rate 512k; #<a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>-END #ERROR-PAGE-START 错误页配置,可以注释、删除或修改 error_page 404 /404.html; error_page 502 /502.html; #ERROR-PAGE-END #PHP-INFO-START PHP 引用配置,可以注释或修改 #SECURITY-START 防盗链配置 location ~ .*\.(jpg|jpeg|gif|png|js|css)$ { expires 30d; access_log off; valid_referers none blocked www.iwhot.com iwhot.com; if ($invalid_referer){ return 404; } } #SECURITY-END include enable-php-56.conf; #PHP-INFO-END #REWRITE-START URL 重写规则引用,修改后将导致面板设置的伪静态规则失效 include /www/server/panel/vhost/rewrite/iwhot.com.conf; #REWRITE-END #禁止访问的文件或目录 location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md) { return 404; } #一键申请<a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>证书验证目录相关设置 location ~ \.well-known{ allow all; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico|eot|otf|ttf|woff|woff2)$ { expires 30d; error_log off; access_log off; } location ~ .*\.(js|css)?$ { expires 12h; error_log off; access_log off; } location ~ .*\.(eot|ttf|woff|svg|otf)$ { add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Headers X-Requested-With; add_header Access-Control-Allow-Methods GET,POST,OPTIONS; } access_log /www/wwwlogs/iwhot.com.log; error_log /www/wwwlogs/iwhot.com.error.log; }
配置好后记得重启下 nginx
5、续期问题:Let’s Encrypt 证书是有效期 90 天的,需要我们自己手工更新续期才可以。 命令例子:
./letsencrypt-auto certonly --renew-by-default --email pptpd@qq.com -d iwhot.com -d www.iwhot.com