日常bb

日常bb

免费的HTTPS(使用Certbot自动配置Let's Encrypt证书)

50
2023-03-21
免费的HTTPS(使用Certbot自动配置Let's Encrypt证书)

免费的HTTPS(使用Certbot自动配置Let's Encrypt证书)

基础理论

  • Let’s Encrypt

理论上,我们自己也可以手动制作一个 SSL 安全证书,但是我们自己签发的安全证书不被浏览器信任,所以我们需要被信任的证书授权中心( CA )签发的安全证书。
而一般的 SSL 安全证书签发服务都需要付费,且价格昂贵,不过为了加快推广 https 的普及, EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG ( Internet Security Research Group ),这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。
这个免费证书不仅免费,而且还相当好用,所以我们就可以利用 Let’s Encrypt 提供的免费证书部署 https 了。

  • Certbot

Certbot 是一个开源的工具,用于自动化管理 HTTPS 证书的获取、安装、更新和撤销。

安装certbot

官方流程

https://certbot.eff.org/

选择自己对应软件和系统,安装certbot。

选择自己对应软件和系统,安装certbot

官方提供的详细步骤。

安装certbot,详细流程

安装流程

1.安装 snapd

yum install snapd

2.启动 snapd

service snapd start
sudo systemctl start snapd.service

3.确保 snapd 版本是最新的

sudo snap install core

4.删除 certbot-auto 和任何 Certbot OS 包

sudo apt-get remove certbot

sudo dnf remove certbot

sudo yum remove certbot

5.安装 certbot

sudo snap install --classic certbot

如果运行报错为:error: cannot install "certbot": classic confinement requires snaps under /snap or symlink from /snap to /var/lib/snapd/snap

代表上面建立 certbot 链接错误,重新建立。

sudo ln -s /var/lib/snapd/snap /snap

6.建立 certbot 同步的链接

sudo ln -s /snap/bin/certbot /usr/bin/certbot

7.获取证书并让 Certbot 自动编辑您的 Nginx 配置以提供服务

sudo certbot --nginx

会需要填写邮箱,域名。具体步骤看下面。

8.测试自动续订

sudo certbot renew --dry-run

certbot --nginx步骤

获取证书并让 Certbot 自动编辑您的 Nginx 配置以提供服务。

中途需要填写一下内容,翻译了下大概意思:

  1. 同意以便注册ACME服务器。 你同意? y
  2. 一旦你的第一个证书成功发布,与电子前沿基金会分享您的电子邮件地址,你愿意吗?y
  3. 请输入您想要的证书(逗号和/分开)rcbb.cc

成功安装~

Requesting a certificate for rcbb.cc

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/rcbb.cc/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/rcbb.cc/privkey.pem
This certificate expires on 2021-09-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for rcbb.cc to /etc/nginx/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://rcbb.cc

完整操作流程。

[root@rcbb ~]# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): 353875653@qq.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): rcbb.cc
Requesting a certificate for rcbb.cc

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/rcbb.cc/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/rcbb.cc/privkey.pem
This certificate expires on 2021-09-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for rcbb.cc to /etc/nginx/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://rcbb.cc

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@rcbb ~]# 

Nginx完整配置

我将它的配置整理了一下,这样既可。

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
  worker_connections 1024;
}

http {
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile            on;
  tcp_nopush          on;
  tcp_nodelay         on;
  keepalive_timeout   65;
  types_hash_max_size 2048;

  include /etc/nginx/mime.types;
  default_type        application/octet-stream;

  server {
    if ($host = www.rcbb.cc) {
      return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;

    server_name www.rcbb.cc;
    return 404; # managed by Certbot
  }
  server {
    listen 80;
    server_name rcbb.cc;
    rewrite ^(.*)  https://$host$1 permanent;
  }
  server {
    listen 80;
    listen [::]:80;
    server_name rcbb.cc;
    client_max_body_size 1024m;
    location / {
      proxy_pass http://127.0.0.1:8090/;
       proxy_set_header HOST $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/rcbb.cc/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/rcbb.cc/privkey.pem; # managed by Certbot
  }
}

遇到的错误

error: cannot install "certbot"

error: cannot install "certbot": classic confinement requires snaps under /snap or symlink from
/snap to /var/lib/snapd/snap

代表上面建立 certbot 链接错误,重新建立。

sudo ln -s /var/lib/snapd/snap /snap