服务端

网站支持https访问,使用Certbot安装Let's Encrypt证书

现在网站对安全性要求越来越高,很多浏览器与搜索引擎也引导网站使用https,google、apple等公司很多地方也要求使用https协议。

https是个趋势,今天就来尝试用Let's Encrypt提供的免费证书来支持https。

 

1.使用环境

系统:Debian
WEB:nginx

 

2.安装certbot

apt-get install certbot

 

3.运行certbot

仅生产证书命令certbot certonly
如果是要自动配置可以输入certbot certonly --nginx
或者自动:certbot --nginx

执行命令后,一路选择/输入配置,直到生产证书。大概分为

  1. 选择验证的方式。 1为启动一个临时的web服务,2为在当前web根目录放置一个文件。下面例子选择2
  2. 阅读协议,并同意。 A为同意,C为取消。下面例子选择A同意
  3. 接收电子邮件。 Y为是,N为否。下面例子选择N
  4. 输入要加入的域名,多个可以逗号或空格隔开。
  5. 输入各域名的web根目录。
  6. 证书生成完成。文件放在/etc/letsencrypt/live/yourdomain.com/目录
root@XXXXXX:~# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): youremail@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): yourdomain.com pz.yourdomain.com api.yourdomain.com admin.yourdomain.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.yourdomain.com
http-01 challenge for api.yourdomain.com
http-01 challenge for yourdomain.com
http-01 challenge for pz.yourdomain.com
Input the webroot for admin.yourdomain.com: (Enter 'c' to cancel): /var/www/html

Select the webroot for api.yourdomain.com:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for yourdomain.com:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): /usr/share/nginx/html/yourdomain.com/react-front/build

** Invalid input **
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Input the webroot for yourdomain.com: (Enter 'c' to cancel): /usr/share/nginx/html/yourdomain.com/react-front/build

Select the webroot for pz.yourdomain.com:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /usr/share/nginx/html/yourdomain.com/react-front/build
3: /var/www/html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Input the webroot for pz.yourdomain.com: (Enter 'c' to cancel): /var/www/html/pz.yourdomain.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.com/privkey.pem
   Your cert will expire on 2020-06-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@XXXXXX:~#
root@XXXXXX:~#
root@XXXXXX:~#

 

4.配置nginx

打开所属域名的conf文件,添加如下:

server {
        # 使用http协议访问时自动重定向到https
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }

        listen 80;
        # 打开443端口监听
    listen 443 ssl;
        server_name yourdomain.com;

        root /usr/share/nginx/html/;
        index index.html index.htm;

        # 配置证书路径
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

        location / {
                try_files $uri $uri/ /index.html;
        }
        location ^~ /assets/ {
                gzip_static on;
                expires max;
                add_header Cache-Control public;
        }
        error_page 500 502 503 504 /500.html;
        client_max_body_size 20M;
        keepalive_timeout 10;
}

 

5.好了

尽情玩耍吧

 

6.更新

3个月后,过期了吧,hhhhhh ~
更新命令

certbot renew #  更新
nginx -s reload #  重启nginx

示例:

root@XXXXXX:/etc/letsencrypt/live/yourdomain.com# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/yourdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.yourdomain.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/yourdomain.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@XXXXXX:/etc/letsencrypt/live/yourdomain.com# 
root@XXXXXX:/etc/letsencrypt/live/yourdomain.com# 
root@XXXXXX:/etc/letsencrypt/live/yourdomain.com# 
root@XXXXXX:/etc/letsencrypt/live/yourdomain.com# nginx -s reload

如出现以下 错误提示 ,说明你可能修改过解析端口

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xx.yourdomain.com
   Type:   unauthorized
   Detail: 1xx.1xx.1xx.1xx: Invalid response from
   https://xx.yourdomain.com/.well-known/acme-challenge/z4fdsafd2BathtAVzkGS5fvYVt_zB3afds4q-dE-L1fdHNwg:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

解决方法,以nginx为例:
添加规则
server{
        location '/.well-known/acme-challenge'{
                root /var/www/html/xx.yourdomain.com;
        }
}

7.新增域名

在已生产的情况下,新增一个域名,流程跟步骤3类似
下面以one.yourdomain.com为例:

root@XXXXXX:/var/www/html# certbot certonly -d one.yourdomain.com --expand
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for one.yourdomain.com
Input the webroot for one.yourdomain.com: (Enter 'c' to cancel): /var/www/html/one.yourdomain.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/one.yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/one.yourdomain.com/privkey.pem
   Your cert will expire on 2021-04-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@XXXXXX:/var/www/html#

之后的nginx配置流程跟步骤4类似

8.常用命令

# 查看当前证书
certbot certificates

评论

暂无

添加新评论