linux配置https过程

最新推荐文章于 2024-01-12 10:20:42 发布

weixin_33856370

最新推荐文章于 2024-01-12 10:20:42 发布

阅读量282

点赞数

文章标签：运维

原文链接：https://juejin.im/post/5ac05207f265da23986766e0

版权

择使用Let's Encrypt证书 1、安装Certbot客户端

1、获取 Certbot 客户端，我的安装目录在/home/downloads
    wget https://dl.eff.org/certbot-auto
    chmod a+x ./certbot-auto
    ./certbot-auto --help
2、配置 nginx 、验证域名所有权，在/usr/local/nginx/conf/nginx.conf配置：

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /home/www/;
    }

    location = /.well-known/acme-challenge/ {
        return 404;
    }
3、重载 nginx
    /usr/local/nginx/sbin/nginx -s reload
4、生成证书
    ./certbot-auto certonly --webroot -w /home/www -d  www.liubo055.top
    显示结果：
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/www.liubo055.top/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/www.liubo055.top/privkey.pem
       Your cert will expire on 2018-07-28. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
5、配置 Nginx（修改 /usr/local/nginx/conf/nginx.conf），使用 SSL 证书
    server {
        listen       443 ssl;
        server_name  liubo055.top www.liubo055.top;
        ssl_certificate      /etc/letsencrypt/live/www.liubo055.top/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/www.liubo055.top/privkey.pem;
    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;
        location / {
            root   html;
            index  index.html index.htm;
        }
    }
6、重载 nginx
    /usr/local/nginx/sbin/nginx -s reload
复制代码

完成：访问https://www.liubo055.top成功

更新证书（没实操过，待续）

1、进入/home/downloads，测试一下更新，这一步没有在真的更新，只是在调用 Certbot 进行测试
    ./certbot-auto renew --dry-run
显示结果包括代表成功
Congratulations, all renewals succeeded. The following certs have been renewed:  
/etc/letsencrypt/live/linuxstory.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
2、手动更新的方法
    ./certbot-auto renew -v
3、自动更新的方法
    ./certbot-auto renew --quiet --no-self-upgrade
复制代码

参考：

HTTPS 简介及使用官方工具 Certbot 配置 Let’s Encrypt SSL 安全证书详细教程、

CentOS7安装Let’s Encrypt客户端Certbot获取Https证书
 在 Nginx 上使用 Let’s Encrypt 加密(HTTPS)你的网站[简明教程]
certbot在Centos7上配置合法签名证书，实现nginx的https访问