免费的HTTPS(使用Certbot自动配置Let's Encrypt证书)
免费的HTTPS(使用Certbot自动配置Let's Encrypt证书)
基础理论
- Let’s Encrypt
理论上,我们自己也可以手动制作一个 SSL 安全证书,但是我们自己签发的安全证书不被浏览器信任,所以我们需要被信任的证书授权中心( CA )签发的安全证书。
而一般的 SSL 安全证书签发服务都需要付费,且价格昂贵,不过为了加快推广 https 的普及, EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG ( Internet Security Research Group ),这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。
这个免费证书不仅免费,而且还相当好用,所以我们就可以利用 Let’s Encrypt 提供的免费证书部署 https 了。
- Certbot
Certbot 是一个开源的工具,用于自动化管理 HTTPS 证书的获取、安装、更新和撤销。
安装certbot
官方流程
选择自己对应软件和系统,安装certbot。
官方提供的详细步骤。
安装流程
1.安装 snapd
yum install snapd
2.启动 snapd
service snapd start
sudo systemctl start snapd.service
3.确保 snapd 版本是最新的
sudo snap install core
4.删除 certbot-auto 和任何 Certbot OS 包
sudo apt-get remove certbot
sudo dnf remove certbot
sudo yum remove certbot
5.安装 certbot
sudo snap install --classic certbot
如果运行报错为:error: cannot install "certbot": classic confinement requires snaps under /snap or symlink from /snap to /var/lib/snapd/snap
代表上面建立 certbot 链接错误,重新建立。
sudo ln -s /var/lib/snapd/snap /snap
6.建立 certbot 同步的链接
sudo ln -s /snap/bin/certbot /usr/bin/certbot
7.获取证书并让 Certbot 自动编辑您的 Nginx 配置以提供服务
sudo certbot --nginx
会需要填写邮箱,域名。具体步骤看下面。
8.测试自动续订
sudo certbot renew --dry-run
certbot --nginx步骤
获取证书并让 Certbot 自动编辑您的 Nginx 配置以提供服务。
中途需要填写一下内容,翻译了下大概意思:
- 同意以便注册ACME服务器。 你同意? y
- 一旦你的第一个证书成功发布,与电子前沿基金会分享您的电子邮件地址,你愿意吗?y
- 请输入您想要的证书(逗号和/分开)rcbb.cc
成功安装~
Requesting a certificate for rcbb.cc
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/rcbb.cc/fullchain.pem
Key is saved at: /etc/letsencrypt/live/rcbb.cc/privkey.pem
This certificate expires on 2021-09-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for rcbb.cc to /etc/nginx/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://rcbb.cc
完整操作流程。
[root@rcbb ~]# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): 353875653@qq.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): rcbb.cc
Requesting a certificate for rcbb.cc
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/rcbb.cc/fullchain.pem
Key is saved at: /etc/letsencrypt/live/rcbb.cc/privkey.pem
This certificate expires on 2021-09-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for rcbb.cc to /etc/nginx/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://rcbb.cc
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@rcbb ~]#
Nginx完整配置
我将它的配置整理了一下,这样既可。
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
if ($host = www.rcbb.cc) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.rcbb.cc;
return 404; # managed by Certbot
}
server {
listen 80;
server_name rcbb.cc;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 80;
listen [::]:80;
server_name rcbb.cc;
client_max_body_size 1024m;
location / {
proxy_pass http://127.0.0.1:8090/;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/rcbb.cc/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rcbb.cc/privkey.pem; # managed by Certbot
}
}
遇到的错误
error: cannot install "certbot"
error: cannot install "certbot": classic confinement requires snaps under /snap or symlink from
/snap to /var/lib/snapd/snap
代表上面建立 certbot 链接错误,重新建立。
sudo ln -s /var/lib/snapd/snap /snap
- 0
- 0
-
分享