非营利组织电子前沿基金会的 CertBot 是一个很好的工具,我们一般可以使用它来安装 Let’s Encrypt。当然如果懒的话也可以去 https://freessl.org/这个网站申请免费的证书,有钱的话也可以申请收费的!
1、安装 Git、BC、EPEL
yum -y install git bc epel-release
2、下载 Let’s Encrypt
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt chmod +x letsencrypt-auto
3、安装证书
./letsencrypt-auto certonly --email 邮箱 -d 网址 //报错时执行下一行 certbot certonly --webroot -w 网站根目录 -d 网址 -m 邮箱 --agree-tos
可能会出现以下错误,这是因为 80 端口被占用,把 nginx 关掉就行了
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxx.xxxx.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
查看生成的文件,生成的证书位于/etc/letsencrypt/下;live 文件夹里面有证书文件 cert.pem - Apache 服务器端证书 chain.pem - Apache 根证书和中继证书 fullchain.pem - Nginx 所需要 ssl_certificate 文件 privkey.pem - 安全证书 KEY 文件
4、配置 nginx,使 https 生效(下面是完整配置稍微改一下就行了)
server
{
listen 80;
listen 443 ssl;
server_name iwhot.com www.iwhot.com;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/iwhot.com;
#<a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>-START <a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>相关配置,请勿删除或修改下一行带注释的 404 规则
#error_page 404/404.html;
#HTTP_TO_HTTPS_START
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
#HTTP_TO_HTTPS_END
ssl_certificate /etc/letsencrypt/live/iwhot.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/iwhot.com/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:<a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>:10m;
ssl_session_timeout 10m;
error_page 497 https://$host$request_uri;
limit_conn perserver 300;
limit_conn perip 25;
limit_rate 512k;
#<a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>-END
#ERROR-PAGE-START 错误页配置,可以注释、删除或修改
error_page 404 /404.html;
error_page 502 /502.html;
#ERROR-PAGE-END
#PHP-INFO-START PHP 引用配置,可以注释或修改
#SECURITY-START 防盗链配置
location ~ .*\.(jpg|jpeg|gif|png|js|css)$
{
expires 30d;
access_log off;
valid_referers none blocked www.iwhot.com iwhot.com;
if ($invalid_referer){
return 404;
}
}
#SECURITY-END
include enable-php-56.conf;
#PHP-INFO-END
#REWRITE-START URL 重写规则引用,修改后将导致面板设置的伪静态规则失效
include /www/server/panel/vhost/rewrite/iwhot.com.conf;
#REWRITE-END
#禁止访问的文件或目录
location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
{
return 404;
}
#一键申请<a href="https://iwhot.com/tag/ssl" title="查看更多关于 SSL 的文章" target="_blank">SSL</a>证书验证目录相关设置
location ~ \.well-known{
allow all;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico|eot|otf|ttf|woff|woff2)$
{
expires 30d;
error_log off;
access_log off;
}
location ~ .*\.(js|css)?$
{
expires 12h;
error_log off;
access_log off;
}
location ~ .*\.(eot|ttf|woff|svg|otf)$ {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
}
access_log /www/wwwlogs/iwhot.com.log;
error_log /www/wwwlogs/iwhot.com.error.log;
}
配置好后记得重启下 nginx
5、续期问题:Let’s Encrypt 证书是有效期 90 天的,需要我们自己手工更新续期才可以。 命令例子:
./letsencrypt-auto certonly --renew-by-default --email pptpd@qq.com -d iwhot.com -d www.iwhot.com
章顺的个人博客, 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明centos 利用 Let’s Encrypt 免费 SSL 证书配置 https!
