1.环境:centos7 BCC
Tomcat+MySQL+jdk
2.lets encrypt官网地址:https://letsencrypt.org
3.安装。
查看是否安装git git --version 卸载 yum remove git 安装git yum install -y git 1.使用git获取,比较慢,请等待 git clone https://github.com/letsencrypt/letsencrypt 2.进入目录 cd letsencrypt 3.查看工具用法 ./letsencrypt-auto --help 4.运行(会安装一大推依赖,如果国内主机请更换源),如果有端口占用443,请停止 ./letsencrypt-auto certonly 然后,Installing Python packages…会卡顿 如果是干净的系统,以上都走的通; 之后,根据提示:输入验证方式,邮箱,是否订阅,域名,网站根目录等。 我输入的是tomcat的ROOT目录,成功之后出现如下信息: [root@host letsencrypt]# ./certbot-auto certonly --webroot -w /usr/tomcat7.0.92/webapps/ROOT -d http://www.xxx.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for http://www.xxx.com Using the webroot path /usr/tomcat7.0.92/webapps/ROOT for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/http://www.xxx.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/http://www.xxx.com/privkey.pem Your cert will expire on 2019-04-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@host letsencrypt]#
终于卡顿结束:
执行成功后:在/etc/letsencrypt/live/http://xx.com 目录下有5个文件
/etc/letsencrypt/live/http://www.xxx.com
cert.pem 服务器证书
chain.pem 根证书中继证书
fullchain.pem ssl证书
privkey.pem 私钥key
我们需要的是3和4,将他们转化为tomcat支持的.jks
进入目录 cd /etc/letsencrypt/live/http://www.xxx.com
#生成p12 openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat_letsencrypt -passin pass:123456 -passout pass:123456 #生成jks keytool -importkeystore -deststorepass '123456' -destkeypass '123456' -destkeystore tomcat_letsencrypt.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass '123456' -alias tomcat_letsencrypt 更改tomcat配置文件:server.xml <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/letsencrypt/live/www.xxx.com/tomcat_letsencrypt.jks" keystorePass="123456" /> #重启tomcat <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/pogaizai/MyDSKeyStore.jks" keystorePass="yourJKSpass" keyAlias="tomcat" keyPass="yourKeyPass"/>
在浏览器中输入网址测试:https://yourDomain:8443/
成功显示:一把小锁子,点击可以看到证书信息等。
访问:http://yourDomain 还是未加密状态
tomcat强制https:
更改web.xml,在welcome-file-list标签后面添加
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
强制之后,再次http访问会提示:
而且强制redirect port 8443
更改server.xml 8443——>443
443类似80,可以不输入。
再次访问,都将强制跳转https://yourDomain.com
openssl详细命令:https://blog.csdn.net/liao20081228/article/details/77159039 PKCS12
插曲 start
how to check your pip version: # pip -V my pip version is 8.1.1, but the latest version is 9.0.1, so I ran following command to upgrade it: # pip install --upgrade pip Now check the pip version again: # pip -V pip 9.0.1 from /usr/local/lib/python2.7/dist-packages (python 2.7)
https://blog.csdn.net/anukram/article/details/78176614
https://blog.csdn.net/lyq8479/article/details/79022888
https://www.cnblogs.com/lzpong/p/6433189.html
https://www.iaodun.com/faq/technical/3008.html
如果是国内主机请更换国内源:(重要)
更换yum源;
http://blog.51cto.com/xiaogongju/2086328
解决pip更新慢;(会卡顿install Python package...)
https://www.jianshu.com/p/5002e4aea6d7
http://blog.51cto.com/lzhnb/2149543
报错:
[root@JaneYork letsencrypt]# ./letsencrypt-auto certonly Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap) yum is /usr/bin/yum yum is hashed (/usr/bin/yum) Loaded plugins: langpacks, versionlock Package gcc-4.8.5-36.el7.x86_64 already installed and latest version Package augeas-libs-1.4.0-6.el7.x86_64 already installed and latest version Package 1:openssl-1.0.2k-16.el7.x86_64 already installed and latest version Package 1:openssl-devel-1.0.2k-16.el7.x86_64 already installed and latest version Package libffi-devel-3.0.13-18.el7.x86_64 already installed and latest version Package redhat-rpm-config-9.1.0-87.el7.centos.noarch already installed and latest version Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version Package python-devel-2.7.5-76.el7.x86_64 already installed and latest version Package python-virtualenv-15.1.0-2.el7.noarch already installed and latest version Package python-tools-2.7.5-76.el7.x86_64 already installed and latest version Package python2-pip-8.1.2-6.el7.noarch already installed and latest version Nothing to do Creating virtual environment... Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/virtualenv.py", line 2327, in <module> main() File "/usr/lib/python2.7/site-packages/virtualenv.py", line 712, in main symlink=options.symlink) File "/usr/lib/python2.7/site-packages/virtualenv.py", line 944, in create_environment download=download, File "/usr/lib/python2.7/site-packages/virtualenv.py", line 900, in install_wheel call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT) File "/usr/lib/python2.7/site-packages/virtualenv.py", line 796, in call_subprocess % (cmd_desc, proc.returncode)) OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pip wheel failed with error code 1 [root@JaneYork letsencrypt]# ^C
插曲 end
4.续期证书:
#/bin/sh #续期 说明:只用renew的话,会先检查证书是否需要更新,大概是距离到期还有三天或者十几天之内才会执行更新,否则会提示不需要更新。(昨天更新了证书,今天直接用renew,提示不允许更新) #这里方便测试,增加参数--force-renew,能够强制立即更新,官网好像有命令可以用于test #./certbot-auto renew --force-renew cd /www/letsencrypt/ ./certbot-auto renew #生成p12 cd /etc/letsencrypt/live/yourDomain && openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat_letsencrypt -passin pass:123456 -passout pass:123456 #移动新生成的证书文件 cp /etc/letsencrypt/live/yourDomain/fullchain.pem /mnt/web/letsTemp cp /etc/letsencrypt/live/yourDomain/privkey.pem /mnt/web/letsTemp #生成jks文件 #备份并删除原jks文件 mv /etc/letsencrypt/live/yourDomain/tomcat_letsencrypt.jks /etc/letsencrypt/live/http://www.xxx.com/tomcat_letsencrypt`date '+%Y-%m-%d'`.jks cd /etc/letsencrypt/live/yourDoamin && keytool -importkeystore -deststorepass '123456' -destkeypass '123456' -destkeystore tomcat_letsencrypt.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass '123456' -alias tomcat_letsencrypt #重启服务器 /usr/tomcat7.0.92/bin/restartup.sh
使用定时任务crontab,执行上述脚本
crontab -e
在打开的编辑器中添加如下内容(每个月1号凌晨3点更新)
0 0 3 * * sh /ts/ssl_auto.sh >/dev/null 2>&1 &
00 12 * * * sh /home/text.sh >> //home/logs/log_$(date +%Y-%m-%d).log 2>&1
2>&1 表示把标准错误输出重定向到与标准输出一致,即xxx.log
详细crontab:https://blog.csdn.net/qq_31708763/article/details/86516523
友情推荐:
Linux上安装Java web开发环境:https://blog.csdn.net/qq_31708763/article/details/86366445
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
