根据网上的介绍:Certbot 是一个由 Electronic Frontier Foundation(EFF)支持的免费、开源的工具,用于自动化获取、部署和更新 HTTPS 证书。它是为了方便使用 Let’s Encrypt 服务而开发的,允许用户在 Web 服务器上快速设置 SSL/TLS 加密连接。
话不多说直接开干,摸着石头过河,由于是自己的网站,不想买收费版的ssl,就有了如下的操作。
PS:nginx安装的时候一定要添加ssl模块支持,如果没有支持的需要看我上一篇文章,里面有nginx的安装代码
一、安装Certbot
yum install certbot
yum install python3-certbot-nginx (nginx插件,看情况有的可能是python2-certbot-nginx)
检查certbot是否安装成功,能执行有显示就证明安装成功了
certbot -h
二、设置nginx的配置文件软链接(要找到自己的nginx对应目录)
我的nginx配置文件所在目录:/usr/local/nginx/conf/nginx.conf
我的nginx二进制文件所在目录:/usr/local/nginx/sbin/nginx
可以对比我的目录,进行你自己的软链接配置,总是因为nginx的配置文件问题导致我重新装了nginx,各种重新配置,certbot总是找/etc/nginx,但我的nginx配置文件在/user/local/nginx/conf,最后才发现可以用软链接解决
Last login: Wed Sep 18 19:35:00 2024 from 106.55.203.179
[root@VM-24-4-opencloudos ~]# ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
[root@VM-24-4-opencloudos ~]# ln -s /usr/local/nginx/conf/ /etc/nginx
[root@VM-24-4-opencloudos ~]# certbot certonly --nginx --nginx-ctl /usr/local/nginx/sbin/nginx --nginx-server-root /usr/local/nginx/conf/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): 提醒的邮箱地址,写你自己的
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): xihahuwai.com
Requesting a certificate for xihahuwai.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xihahuwai.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/xihahuwai.com/privkey.pem
This certificate expires on 2024-12-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
软链接后的效果
生成的证书信息:
三、nginx配置跳转,支持HTTPS
nginx里面的配置默认有80端口为http的访问默认端口,如果需要支持https就需要443端口,所以nginx里面的nginx.conf配置文件中需要添加443端口的配置,如下代码是我自己的站点的配置,供大家参考。
server {
listen 443 ssl;
server_name xihahuwai.com www.xihahuwai.com;
ssl_certificate /etc/letsencrypt/live/xihahuwai.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xihahuwai.com/privkey.pem;
# SSL 相关设置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
location / {
###gzip_static on;
root /usr/local/nginx-1.24.0/xiha;
try_files $uri $uri/ /index.html; # 这一行很重要,它会将所有未找到的文件请求重定向到index.html
}
}
配置放置的位置就在80端口对应的server下面,如图所示:
四、做好的效果对比
我是自己的网站我想同时支持http和https所以没对http做跳转,如果只想支持https的可以将http的访问301跳转到https即可,两个都支持的效果如下,终于搞定了。
就这样搞完了,中间遇到的问题没来的及记录,有问题可以沟通交流,目的就是要支持https,目的是达到了。
五、自动续期(因为免费的有三个月时间到12月份才过期,等待12月后看是否正常)
查了下资料,这个也不是很难,直接继续进行
1.使用如下命令打开一个编辑器
crontab -e
2.在编辑器里面添添加自动续期的作业(90天过期,我这个是设置的每隔85天续期一次,续期后重新加载nginx)
# 每隔 85 天的凌晨 1 点 1 分钟自动续订证书并重新加载 Nginx
1 1 */85 * * certbot renew --deploy-hook "nginx -s reload"
3.添加后会有提示