引子:
最近在一篇文章中了解到EFF(电子前哨基金会)为了推广https协议,成立了一个let'sencrypt项目,可以发放免费的证书,此证书可以被大多数主流浏览器所信任,这个邪恶的念头一爆发,就让我走上了一条坎坷的不归路。
准备:
工具:certbot
环境:centOS7
获取Certbot工具:
根据我在网上了解到的信息,获取certbot工具有三种方法
第一种是通过git在github中下载
git clone https://github.com/certbot/certbot.git
第二种是通过epel-release软件源,这个软件源有许多yum中没有的软件包,包括certbot
yum install epel-release
yum install certbot
第三种是通过wget来进行下载
wget https://dl.eff.org/certbot-auto
由于钟爱github,熟悉git所以直接使用git下载好了
执行命令
git clone https://github.com/certbot/certbot.git
生成证书:
下载完了之后,会创建一个certbot的目录
cd certbot
certbot-auto certonly --standalone --email crisen@crisen.org -d www.crisen.org
然后agree协议 静静等待生成证书即可
出现下面提示就说明安装好了
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/your.domain.com/fullchain.pem. Your cert
will expire on 20XX--. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书会生成在/etc/letsencrypt/live目录下
部署证书:
接着把证书的公钥和私钥配置到nginx的ssl目录下,创建软链接
ln -s /etc/letsencrypt/live/www.crisen.org/fullchain.pem /usr/local/nginx/conf/ssl/www.crisen.org.crt
ln -s /etc/letsencrypt/live/www.crisen.org/privkey.pem /usr/local/nginx/conf/ssl/www.crisen.org.key
当然直接复制过去也是可行的
cp -i /etc/letsencrypt/live/www.crisen.org/fullchain.pem /usr/local/nginx/conf/ssl/www.crisen.org.crt
cp -i /etc/letsencrypt/live/www.crisen.org/privkey.pem /usr/local/nginx/conf/ssl/www.crisen.org.key
接下来只要配置 nginx 的https服务就可以了 下面是我的nginx服务器配置文件
server {
listen ;
listen ssl http2;
ssl_certificate /usr/local/nginx/conf/ssl/www.crisen.org.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/www.crisen.org.key;
ssl_protocols TLSv1 TLSv1. TLSv1.;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin: shared:SSL:10m;
ssl_buffer_size ;
add_header Strict-Transport-Security max-age=;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/www.crisen.org.crt;
server_name www.crisen.org;
access_log /data/wwwlogs/www.crisen.org_nginx.log combined;
index index.html index.htm index.php;
include /usr/local/nginx/conf/rewrite/none.conf;
root /data/wwwroot/profiles;
if ($ssl_protocol = "") { return https://$host$request_uri; }
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
}
nginx config
效果测试:
然后进入到www.crisen.org测试一下
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAASoAAAAmCAYAAABzj9bgAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARbSURBVHhe7ZvBSiRXFIbrafIQZhEYQnbzACGDEEj0ESYkGzNP4FrGRdAQAxNC0mKycRFEcDcjuNNZJCE6TmtAHRdq641/UX/neDhVZWvbc5X/g8+ue+rWvVfp+1PVarFzcJaklDJnFVRSyuwtfvnjZZJSypwter1eklLKnC2SEEJkjoJKCJE9Iw+qjY2N6kgIIa5HcXFxUR2OBgWVEGJQivn5+XR0dFQ12+mdn6Wf1p+nyR8/KX3xaqasXRcFlRBiUIput5vm5ubSwcFBVaoHgfTFD4/S45kPrjix8HE6v+hVvZppCqqpqam0v79ftcRN2dzcTEVRlK9CPATKz6j29vbSwsJCWWgCd1IIpme/T6Y3h3+nncO/0re/fVnWfl6frXo1cx+CCmvAWixRLVcUVOKh0f8wfXV1NW1vb1etmPH5D8tQ6r77v9/u0T9l7fPvP6oqzdw0qGZnZ69sPN8eJmtra6WWqCaEGA39oNrd3U3Ly8tVKwaBBD119Yj7EFTROprWJoS4W/pBdXp6Wn5WVcfXnSf9QKrzm8Xxqnc9bUGFuxa8wk6n069TBJRvAwaXPWeDzI4LAR/nbADhGo5JbA1rsndWdh72G1afCDzS0enp6bI2NjaWlpaWyhqOcT2OCfrZ6yy2zvEA29E5D/tQi18bsf0xtj0nhOdKUOE3gHVEwRTZRltQMZx8iGDjciODqI3+BOfY5lieKKgwvx0X2BrChWtEDfMycBg+w+rj4ab2YJPjHMF4bNtjD+o4TxgqAOcmJibKY45h+xLU7ZoYSsSvDaDNeQD6KKhEE/13UNujXxRKkW0M8uiHzTtIUPmNZGsY24/vYXBZfM22EShoYx6AV7SH1ceCjV23mW3AAHzPNhxwDO3Ph4HiZejg2PbHHP7nW7cmux6/tuiaunGEIP1388rKSuOH6VEoRbbxvoKKoObnIfYuh0Q1jOGDBfOwDYbVhzRtZh8GGANB40E/BlBbONw2qNgXx3Zt0TVtaxGifDdf588TolCKbOMug8oGCgKGdywYI7oWdTunHxNENYxt52Mbr2QYffz6EB520/Pux4cB1sugwrE9Z/v68fioB+qCimPzHI79o58NHb824OdFH3uNEJ7yDz7x2dTx8XFViolCKbKNmwYVNi/Ooxa1ueFRoxZ7jsFggwByLBLVAK/jZrXjkGH08W2GBCU+DNiPIIB4jQ0jP54dA22uC2AOtHmNPWfHgJYoqPy8CDoFlWji2v9C8/TXT8Ngsn7V+azqXU9TUN0GBIrdPIOC8OKdDIlqYvggyBRUookH80/Jtw0qf7cDopq4PT6UeFclRB1X79NHQK5BJUZH9OgnRBMjDyohhBgUBZUQInsUVEKI7Cm+W1xNUkqZs8Wf/54mKaXM2eJ19yRJKWXOKqiklNmroJJSZm+xdflFSilztth6e3kgpZQZW2xefpFSypxVUEkps1dBJaXMXgWVlDJ7FVRSyuxVUEkpM/ck/QfMHlz1SvtKlwAAAABJRU5ErkJggg==" alt="" />
出现了可信任的证书 到此配置完毕
踩过的坑:
服务器操作系统版本过低:
开始的时候我的操作系统是centOS5.1版本的,内置的python只有2.4,结果没有办法启动certbot出现,
因为certbot-auto是python写的,并且必须要2.6以上的版本才可以,
网上查看了许多文档,也确定了certbot只支持更加现代的操作系统
解决办法:备份网站数据,升级服务器操作系统