• Nginx Configuration 免费HTTPS加密证书


     

    实验环境:CentOS Linux release 7.3.1611 (Core)

    内核版本:Linux version 3.10.0-514.el7.x86_64

    Nginx版本: Nginx-1.13.0

    Let’s Encrypt是一个免费的、自动化、开放的证书颁发机构。由Mozilla、Cisco、Chrome、facebook、Akamai等众多公司和机构发起的,其安全稳定及其可靠。具体信息可以去letsencrypt官方网站了解详情。

    今天我们就充分利用Lets Encrypt让你的网站实现https加密。

    官网:https://letsencrypt.org/

    1.安装certbot及源扩展包

    $ yum install -y epel-release

    Certbot是Let’s Encrypt官方指定推荐的客户端。通过 Certbot,你可以自动化部署 Let’s Encrypt SSL证书,以便为网站加上HTTPS加密支持。

    $ yum install certbot
    $ certbot certonly
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    How would you like to authenticate with the ACME CA?
    //你是希望如何使用ACME CA进行身份验证?
    -------------------------------------------------------------------------------
    1: Place files in webroot directory (webroot)
    //将文件放在webroot目录
    2: Spin up a temporary webserver (standalone)
    //使用临时Web服务器(独立目录)
    -------------------------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel):1 【选择1回车】
    Enter email address (used for urgent renewal and security notices) (Enter 'c' to
    cancel):su@renwole.com【输入您的邮箱地址,用于紧急更新和安全通知】
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    -------------------------------------------------------------------------------
    Please read the Terms of Service at
    https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
    in order to register with the ACME server at
    https://acme-v01.api.letsencrypt.org/directory
    -------------------------------------------------------------------------------
    (A)gree/(C)ancel: A【选择A回车同意服务条款,C为拒绝】
    -------------------------------------------------------------------------------
    Would you be willing to share your email address with the Electronic Frontier
    Foundation, a founding partner of the Let's Encrypt project and the non-profit
    organization that develops Certbot? We'd like to send you email about EFF and
    our work to encrypt the web, protect its users and defend digital rights.
    -------------------------------------------------------------------------------
    (Y)es/(N)o:Y【您是否愿意分享您的电子邮件地址,建议选择Y回车】
    Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
    to cancel): blog.renwole.com【输入域名回车】
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for blog.renwole.com
    Select the webroot for blog.renwole.com:
    -------------------------------------------------------------------------------
    1: Enter a new webroot
    //输入网站绝对路径
    -------------------------------------------------------------------------------
    Press 1 [enter] to confirm the selection (press 'c' to cancel):1【选择数字1回车】
    Input the webroot for blog.renwole.com: (Enter 'c' to cancel):/home/www/blog.renwole.com【输入网站所在绝对路径回车】
    Waiting for verification...
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/blog.renwole.com/fullchain.pem. Your cert
    will expire on 2017-08-09. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again. To
    non-interactively renew *all* of your certificates, run "certbot
    renew"
    - If you like Certbot, please consider supporting our work by:
    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF:

    恭喜!您的SSL证书和密钥链接已保存,你的证书将于2017-08-09到期。
    注意:这里需要说明,在生成证书之前,你必须保证nginx 443端口是运行状态,否则会生成证书失败。

    2.自动续订

    Certbot可以配置为在证书过期之前自动更新证书。由于Let’s Encrypt SSL证书有效期时间为90天,所以建议您利用此功能。您可以通过运行以下命令来测试证书的自动续订:

    $ sudo certbot --nginx certonly

    如果以上正常工作,你可以通过添加运行以下操作的cron或systemd定时任务安排自动更新:

    certbot renew

    我们写一个自动执行脚本,建议每小时执行一次:

    $ sudo crontab -e

    添加以下内容:

    0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

    保存并退出!

    通过命令查看是否添加成功:

    $ crontab -l
    0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

    重启crontab

    $ systemctl status crond.service
    $ systemctl restart crond.service

    通过命令观察 crontab 是否执行:

    $ tail -f /var/log/cron

    证书是否续订成功,可以通过以下命令管理查看证书信息:

    $ certbot certificates

    更多Certbot命令请参阅官方文档 https://certbot.eff.org/docs/

    3.配置nginx.conf
    接下来修改Nginx配置文件,修改sever段,去掉相应注释,将生成的SSL证书填写到ssl_certificate后面,将生成的密钥填写到ssl_certificate_key后面,保存并重启nginx服务器即可。

    # vi /usr/local/nginx/conf/nginx.conf
    server {
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/blog.renwole.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/blog.renwole.com/privkey.pem;
    # ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    # ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    # location / {
    # root html;
    # index index.html index.htm;
    # }
    }

    使用谷歌浏览器访问https://blog.renwole.com/可以看到绿色的安全小锁图标,说明网站已经https加密成功。

  • 相关阅读:
    Linux Home目录硬盘空间缩减
    test
    ORACLE 数据泵 expdp/impdp
    mysql利用mysqlbinlog命令恢复误删除数据
    LogMiner日志挖掘分析管理
    Oracle 审计测试与总结
    redis 5.0.3 讲解、集群搭建
    联想服务器配置 RAID
    Cenots7对lvm逻辑卷分区大小的调整
    kvm 基本运维命令
  • 原文地址:https://www.cnblogs.com/cheyunhua/p/9023488.html
Copyright © 2020-2023  润新知