一、利用Let's Encrypt 免费生成HTTPS证书
1、下载安装certbot(Let's Encrypt )
2、利用certbot生成证书
3、配置nginx的https证书
安装cerbot
[root@hz1 ~]# wget https://dl.eff.org/certbot-auto [root@hz1 ~]# chmod a+x certbot-auto [root@hz1 ~]#./certbot-auto
利用certbot生成证书
[root@hz1 certbot]# ./certbot-auto certonly --email zhai.junming@timecash.cn --agree-tos --webroot -w /alidata1/www/timecash22/api3 -d xxxx.zjm.cn/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 DeprecationWarning Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for xxx.zjm.cn Using the webroot path /alidata1/www/timecash22/api3 for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem. Your cert will expire on 2017-09-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le -w:指定域名的根目录 -d:指定域名 Note:证书已经生成到了/etc/letsencrypy/live/xxx.zjm.cn下
Nginx配置https证书
#http访问 server { listen 80; server_name www.xxx.cn; return 301 https://$server_name$request_uri; } #https访问 server { listen 443 ssl; server_name www.xxx.cn; ssl_certificate /etc/letsencrypt/live/www.xxx.cn/fullchain.pem; ssl_certificate_key/etc/letsencrypt/live/www.xxx.cn/privkey.pem; ssl_trusted_certificate/etc/letsencrypt/live/www.xxx.cn/chain.pem; ssl_dhparam /etc/nginx/ssl/dhparam.pem; location / { proxy_pass http://www.xxx.cn/; } } ssl_certificate和ssl_certificate_key分别对应fullchain.pem,privkey.pem ssl_dhparam通过以下命令生成 $ mkdir /etc/nginx/ssl $ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
自动更新https证书
由于这个免费的证书只有90天的使用时间,所以遇到定时更新以下证书,这里是利用certbot每隔一段时间自动更新证书
手动执行更新
./certbot-auto renew --dry-run
结合crontab每隔一段时间自动更新证书
30 2 * * 1 ./certbot-auto renew >> /var/log/le-renew.log
PS:
1、生成证书的时候切记-w参数后边的站点目录要写对,不然会报错
2、只需配nginx支持https就好,tomcat不用配置
3、前端代码和后端接口必须支持https