开发需要做一个小后台,但是需要https访问,Let's Encrypt也蛮好用的。
系统环境:
Centos7.3 nginx1.10.2
安装:
yum install -y epel-release
yum install -y certbot
做好相应域名比如abc.com的解析;
方法1:在网站根目录下创建一个.well-known的目录
方法2:
某次运行命令以后报错:An unexpected error occurred:
ValueError: Extra data: line 1 column 77 - line 38 column 1 (char 76 - 1828)
Please see the logfiles in /var/log/letsencrypt for more details.
按照方法2来的:
mkdir -p /etc/nginx/cert/.well-known
ln -s /etc/nginx/cert/.well-known /data/gop/gop.abc.com/.well-known
cd /data/gop/
ll
.well-known -> /etc/nginx/cert/.well-known/
certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com
命令执行:
certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com
根据提示进行操作,一般可以正常生产证书文件。
可以默认的nginx目录直接操作,当时在/data/gop/创建了个文件夹,准备放这个文件夹下面。
2.
certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 你的email续期不成功会提示你续期;
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for tng.abc.com
Using the webroot path /etc/nginx/cert for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ gop.abc.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/gop.abc.com/privkey.pem
Your cert will expire on 2018-05-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书文件的目录存放在: '/etc/letsencrypt/live/example.com/'
会有4个文件:
cert.pem
chain.pem
fullchain.pem
privkey.pem
特别要注意,这条命令只会将生成的证书放在这个目录,不会有一个/etc/letsencrypt/live/ gop.abc.com /目录,gop.abc.com的证书,具体看后面的nginx配置。
3.
nginx配置类似这样的:
server {
listen 443 ssl http2;
server_name example.com;
index index.html index.htm index.php;
root /data/www/example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
access_log off;
}
server {
listen 443 ssl http2;
server_name test.example.com;
index index.html index.htm index.php;
root /data/www/test.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
access_log off;
}
具体配置:nginx和tomcat配合反向代理tomcat
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
client_max_body_size 8M;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
upstream app {
server localhost:9089;
}
server {
listen 80;
server_name gop.abc.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
ssl on;
server_name gop.abc.com;
ssl_certificate /etc/letsencrypt/live/ gop.abc.com /fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ gop.abc.com /privkey.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECD************';
ssl_prefer_server_ciphers on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
#include proxy_params;
proxy_pass http://app;
#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
#proxy_redirect http:// https://;
proxy_redirect http:// $scheme://;
# allow 11.11.11.11;
# allow 22.22.22.22;
# deny all;
}
}
}
4.定期更新
crontab -e # 新增如下定时任务
10 6 * * * /bin/certbot renew --quiet &>/dev/null
Let's Encrypt 的证书有效期为90天,如果证书的有效期大于30天,则上面命令不会真的去更新证书的。
https测试
在浏览器输入 https://gop.abc.com 网址进行验证,一般Chrome会有一个绿色的锁以及Secure标示。
原url:
https://www.cnblogs.com/mawang/p/6758728.html
以上做一个小小笔记以后参考。
PS:续期的问题收到续期邮件了,
原来用/bin/certbot renew 会报错:
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gop.abc.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: gop.abc.com
Type: unauthorized
Detail: Invalid response from
http://gop.abc.com/.well-known/acme-challenge/dyWcllqMylBGnpdhsa8MTq0B1yl_HabaBanjj11s:
"<!DOCTYPE html><html><head><title>
report</title><style type="text/css">H1 {font-family:Tahoma,Arial"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
查日志看log tail -100f /var/log/letsencrypt/letsencrypt.log看不出头绪,到 Let's Encrypt看了半天也没似乎有那么点明白也没明白,后来关掉nginx试了一下这个命令:
certbot renew --standalone
居然成功了!
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/gop.abc.com/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/gop.abc.com/fullchain.pem (success)
-------------------------------------------------------------------------------