Let's Encrypt: CentOS/RHEL 7下的nginx安装https

开发需要做一个小后台，但是需要https访问，Let's Encrypt也蛮好用的。

系统环境：

Centos7.3 nginx1.10.2

安装：

yum install -y epel-release

yum install -y certbot

做好相应域名比如abc.com的解析；

方法1：在网站根目录下创建一个.well-known的目录

2：

某次运行命令以后报错：Anunexpectederroroccurred:

ValueError:Extradata:line1column77-line38column1(char76-1828)
Pleaseseethelogfilesin/var/log/letsencryptformoredetails.

按照方法2来的：

mkdir -p /etc/nginx/cert/.well-known

ln -s /etc/nginx/cert/.well-known /data/gop/gop.abc.com/.well-known

cd /data/gop/

ll

.well-known -> /etc/nginx/cert/.well-known/

certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com

命令执行：

certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com

根据提示进行操作，一般可以正常生产证书文件。

可以默认的nginx目录直接操作，当时在/data/gop/创建了个文件夹，准备放这个文件夹下面。

2.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot,Installer None

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): 你的email续期不成功会提示你续期；

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v01.api.letsencrypt.org/directory

(A)gree/(C)ancel: A

Would you be willing to share your email address with the Electronic Frontier

Foundation,a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about EFF and

our work to encrypt the web,protect its users and defend digital rights.

(Y)es/(N)o: Y

Starting new HTTPS connection (1): supporters.eff.org

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for tng.abc.com

Using the webroot path /etc/nginx/cert for all unmatched domains.

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/ gop.abc.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/gop.abc.com/privkey.pem

Your cert will expire on 2018-05-27. To obtain a new or tweaked

version of this certificate in the future,simply run certbot

again. To non-interactively renew *all* of your certificates,run

"certbot renew"

- If you like Certbot,please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

证书文件的目录存放在: '/etc/letsencrypt/live/example.com/'

会有4个文件:

cert.pem
chain.pem

fullchain.pem

privkey.pem

特别要注意，这条命令只会将生成的证书放在这个目录，不会有一个/etc/letsencrypt/live/ gop.abc.com /目录，gop.abc.com的证书，具体看后面的nginx配置。

3.

nginx配置类似这样的：

server {

 listen 443 ssl http2;

 server_name example.com;

 index index.html index.htm index.php;

 root /data/www/example.com;

 ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

 ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

 ssl_prefer_server_ciphers on;

 ssl_session_cache shared:SSL:10m;

 access_log off;

}

 server_name test.example.com;

 root /data/www/test.example.com;

}

具体配置：nginx和tomcat配合反向代理tomcat

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {

worker_connections 1024;

}

http {

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 65;

types_hash_max_size 2048;

include /etc/nginx/mime.types;

default_type application/octet-stream;

client_max_body_size 8M;

# Load modular configuration files from the /etc/nginx/conf.d directory.

# See http://nginx.org/en/docs/ngx_core_module.html#include

# for more information.

include /etc/nginx/conf.d/*.conf;

upstream app {

server localhost:9089;

server {

listen 80;

server_name gop.abc.com;

rewrite ^(.*)$ https://$host$1 permanent;

listen 443 ssl;

ssl on;

ssl_certificate /etc/letsencrypt/live/ gop.abc.com /fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/ gop.abc.com /privkey.pem;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECD************';

ssl_prefer_server_ciphers on;

location / {

# First attempt to serve request as file,then

# as directory,then fall back to displaying a 404.

#try_files $uri $uri/ =404;

#include proxy_params;

proxy_pass http://app;

#proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Host $host;

proxy_set_header X-Forwarded-Server $host;

#proxy_redirect http:// https://;

proxy_redirect http:// $scheme://;

# allow 11.11.11.11;

# allow 22.22.22.22;

# deny all;

}

4.定期更新

crontab-e#新增如下定时任务

10 6 * * * /bin/certbot renew --quiet &>/dev/null

Let'sEncrypt的证书有效期为90天，如果证书的有效期大于30天，则上面命令不会真的去更新证书的。

https测试

在浏览器输入https://gop.abc.com网址进行验证，一般Chrome会有一个绿色的锁以及Secure标示。

原url：

https://www.cnblogs.com/mawang/p/6758728.html

以上做一个小小笔记以后参考。

PS:续期的问题收到续期邮件了，

原来用/bin/certbot renew 会报错：

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/gop.abc.com/fullchain.pem (failure)

-------------------------------------------------------------------------------

- The following errors were reported by the server:

Domain: gop.abc.com

Type: unauthorized

Detail: Invalid response from

http://gop.abc.com/.well-known/acme-challenge/dyWcllqMylBGnpdhsa8MTq0B1yl_HabaBanjj11s:

"<!DOCTYPE html><html><head><title>

report</title><style type="text/css">H1 {font-family:Tahoma,Arial"

To fix these errors,please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

查日志看logtail -100f /var/log/letsencrypt/letsencrypt.log看不出头绪，到Let's Encrypt看了半天也没似乎有那么点明白也没明白，后来关掉nginx试了一下这个命令：

certbotrenew--standalone

居然成功了!

new certificate deployed without reload,fullchain is

/etc/letsencrypt/live/gop.abc.com/fullchain.pem

-------------------------------------------------------------------------------

Congratulations,all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/gop.abc.com/fullchain.pem (success)

-------------------------------------------------------------------------------

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。