前言
自己做了一個博客,需要訪問自己的網站獲取數據,但是系統默認只能直接訪問https的網站。不想讓應用改用http的服務。因此,研究如何啓用https,本文即是介紹如何在CentOS上配合Nginx使用CertBot。
環境
-
Ubuntu
-
Nginx
安裝CertBot
命令行,鍵入:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
然後,可以使用以下命令安裝certbot:
sudo apt-get install certbot python-certbot-nginx
生成證書
sudo certbot --nginx
剩下的一切會自動完成。Certbot 會自動幫你註冊賬戶,檢測 Nginx 配置文件中的域名,詢問你爲哪些域名生成證書,是否將 Http 重定向到 Https 等等,最後幫你自動修改 Nginx 配置並重啓,這時你的網站已經變成了 Https。
但Certbot沒有給你自動修改Nginx配置時,這時候需要自己配置
如果提示:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/your.domain.com/fullchain.pem. Your cert
will expire on 20XX-09-23. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
證書生成成功!
配置Nginx
目前已經自動幫我們配置證書了,我們可以看下配置的形式,後續可以自己配置。
server {
server_name bbs.wzlinux.com; # managed by Certbot
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/bbs.wzlinux.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/bbs.wzlinux.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = bbs.wzlinux.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name bbs.wzlinux.com;
return 404; # managed by Certbot
}
啓用443端口
同樣,修改Nginx的虛擬主機配置文件,新建一個443端口的server配置:
server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;
// ... other settings ...
}
上面記得替換your.domain.com
爲你自己的域名。
接着重新加載Nginx配置:
sudo service nginx reload
現在通過瀏覽器訪問你的網站:https://your.domain.com
試試,如果看到瀏覽器的綠色標誌,恭喜你設置成功!
不過由於這個證書的時效只有90天,我們需要設置自動更新的功能,幫我們自動更新證書的時效。
自動更新證書
先在命令行模擬證書更新:
sudo certbot renew --dry-run
模擬更新成功的效果如下:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/your.domain.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/your.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
既然模擬成功,我們就使用crontab -e
的命令來啓用自動任務,命令行:
sudo crontab -e
添加配置:
0 4 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
上面的執行時間爲:每天執行renew任務。
你可以在命令行執行/usr/bin/certbot renew >> /var/log/le-renew.log
看看是否執行正常,如果一切OK,那麼我們的配置到此結束!