-20f7d366f3664d0092c774d752f76b0b.png)
怎么给网站从 HTTP 换用 HTTPS。总体来说分为四个步骤:安装 SSL 证书、部署 SSL 证书、修改网站配置文件conf 、网站 URL 中 HTTP 替换为 HTTPS。
安装 SSL 证书(Certbot)
SSL 证书有免费的也有收费的。具体就不科普了。免费的也可以用,如大名鼎鼎的 Let’s Encrypt SSL certificates。 (Let’s Encrypt 已正式更名为 Certbot )
- 安装 git
sudo yum install git
- 下载证书工具包
sudo git clone https://github.com/certbot/certbot /opt/letsencrypt
- 进入证书目录
cd /opt/letsencrypt
创建并部署证书
- 继续执行命令创建证书:
./certbot-auto certonly --email zhangyongduo@gmail.com -d "*.20190616.xyz" -d 20190616.xyz --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
注意
- 上面命令中的
--email地址是方便你接收证书密钥回复以及紧急信息的,尽量填写企业邮箱或者 gmail 邮箱,QQ邮箱应该也可以,你可以填写试试 certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
3--manual表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择-d为哪些主机申请证书,如果是通配符,输入*.20190616.xyz(可以替换为你自己的域名)--preferred-challenges dns,使用 DNS 方式校验域名所有权
支持三种验证方式:
dns-01:给域名添加一个 DNS TXT 记录。
http-01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
tls-sni-01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。
--server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
- 上面的命令回车后一路 A Y
[root@p0 certbot]# ./certbot-auto certonly --email ****@gmail.com -d "*.20190616.xyz" -d 20190616.xyz --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for 20190616.xyz
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
(Y)es/(N)o: Y
Please deploy a DNS TXT record under the name
_acme-challenge.20190616.xyz with the following value:
X9wpIH3GCNryI_2aqu941hebfp71PAMFJaq9yJfJHb8
Before continuing, verify the record is deployed.
Press Enter to Continue
- 到此时,需要在域名服务商处添加TX TDNS记录,我的是腾讯域名,配置如下:
- 验证 配置的DNS
_acme-challenge.20190616.xyz值
dig -t txt _acme-challenge.20190616.xyz @8.8.8.8
- 输出对应配置的value值(
X9wpIH3GCNryI_2aqu941hebfp71PAMFJaq9yJfJHb8)代表成功
[root@p0 ~]# dig -t txt _acme-challenge.20190616.xyz @8.8.8.8
; DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 -t txt _acme-challenge.20190616.xyz @8.8.8.8
;; global options: +cmd
;; Got answer:
;; HEADER opcode: QUERY, status: NOERROR, id: 15044
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.20190616.xyz. IN TXT
;; ANSWER SECTION:
_acme-challenge.20190616.xyz. 599 IN TXT "X9wpIH3GCNryI_2aqu941hebfp71PAMFJaq9yJfJHb8"
;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Oct 17 18:24:50 CST 2020
;; MSG SIZE rcvd: 113
解决 -bash: dig: command not found:
yum -y install bind-utils
- 验证通过后,继续回车
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: zhangyongduo@gmail.com).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/20190616.xyz/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/20190616.xyz/privkey.pem
Your cert will expire on 2021-01-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- Congratulations!成功生成证书,查看下证书
[root@p0]# pwd
/etc/letsencrypt/live/20190616.xyz
[root@p0]# ls
cert.pem chain.pem fullchain.pem privkey.pem README
在nginx里面配置证书
安装nginx
## 安装 epel 和 nginx
yum install epel-release
yum install nginx
## 启用 nginx
systemctl enable nginx
## 查看安装路径
whereis nginx
cd /usr/sbin/nginx
配置文件:
/etc/nginx/nginx.conf
- 打开 nginx server 配置文件加入如下设置:
server {
listen 443
ssl on;
ssl_certificate /etc/letsencrypt/live/网站域名/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/网站域名/privkey.pem;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# HSTS (ngx_http_headers_module is required) (31536000 seconds = 12 months)
# add_header Strict-Transport-Security "max-age=31536000" always;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
}
- 配置http 转 https
server {
listen 80;
server_name 你的域名;
rewrite ^(.*)$ https://$host$1 permanent;
}
设置定时更新证书
- 在
/var/spool/cron/root添加 Certbot 的自动续期命令
55 9 11 1,3,5,7,9,11 * /opt/certbot/certbot-auto renew --no-self-upgrade --renew-hook "/usr/sbin/nginx -s reload"
以上含义是:1,3,5,7,9,11月11号 9 点55分自动执行检查续期命令一次。续期完成后,重启 nginx 服务。
不加 --no-self-upgrade 时,会报错
Upgrading certbot-auto 1.9.0 to 1.11.0...
Couldn't download https://raw.githubusercontent.com/certbot/certbot/v1.11.0/letsencrypt-auto-source/letsencrypt-auto. <urlopen error [Errno 111] Connection refused>
将其锁定到特定版本并且不接收自动更新,只需在命令后加 --no-self-upgrade
- 重启 Cron 服务,使之生效
service crond restart
更换证书申请工具(不再使用certbot-auto)
2021年1月发现证书没有成功续期, 查看crontab 执行日志
less /var/log/cron
发现已经执行,但是证书并没有续成功
Jan 10 01:50:01 p0 CROND[27267]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 10 02:00:01 p0 CROND[27768]: (root) CMD (/opt/certbot/certbot-auto renew --renew-hook "/usr/sbin/nginx -s reload")
Jan 10 02:00:01 p0 CROND[27769]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 10 02:00:09 p0 CROND[27767]: (root) MAIL (mailed 207 bytes of output but got status 0x004b#012)
把脚本拿出来跑一下,果然报错了
[root@p0 log]# /opt/certbot/certbot-auto renew --renew-hook "/usr/sbin/nginx -s reload"
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Loading mirror speeds from cached hostfile
Package libffi-devel-3.0.13-19.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-88.el7.centos.noarch already installed and latest version
......
Complete!
Upgrading certbot-auto 1.9.0 to 1.11.0...
Couldn't download https://raw.githubusercontent.com/certbot/certbot/v1.11.0/letsencrypt-auto-source/letsencrypt-auto. <urlopen error [Errno 111] Connection refused>
总之certbot-auto已经不太好使用了,经(技术)小伙伴推荐,转用 snap-apache
具体可以看后面的链接:
snap-apache
另整理一份安装snap命令:
yum install epel-release
yum install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap
snap install core
snap refresh core
安装certbot工具
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
申请证书命令(更新申请也可以用此命令)
certbot certonly --email *@gmail.com -d "*.20190616.xyz" -d 20190616.xyz --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
更新证书时,需要先关闭nginx,防止验证DNS TXT 失败
Please deploy a DNS TXT record under the name
_acme-challenge.20190616.xyz with the following value:
更新之后,重新启动nginx,证书续期完成。
