HTTPS 时代,使用 Certbot (Let’s Encrypt)

nginx on centos install certbot (letsencrypt)

[root@hexingxing ~]#  yum install epel-release //更新系统
[root@hexingxing ~]#  yum install -y git //安装 git
[root@hexingxing ~]#  git clone https://github.com/certbot/certbot //git 下载 certbot
Initialized empty Git repository in /certbot/.git/
remote: Counting objects: 51598, done.
remote: Compressing objects: 100% (133/133), done.
remote: Total 51598 (delta 101), reused 99 (delta 48), pack-reused 51415
Receiving objects: 100% (51598/51598), 16.12 MiB | 2.64 MiB/s, done.
Resolving deltas: 100% (36980/36980), done.
[root@hexingxing ~]#  cd certbot 切换到 certbot 目录
[root@hexingxing certbot]# ./certbot-auto 执行自动 TUI 模式生成证书

Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror, refresh-packagekit, security
…

如果提示 “Could not install OS dependencies. Aborting bootstrap!” 那么按提示的详细说明操作,
如果提示 “Transaction check error: ” 类信息说明库的新旧版本不对,删除对应的版本即可,例如 “krb5-libs-1.10.3-57.el6.x86_64”,命令如下:

[root@hexingxing certbot]# rpm -e krb5-libs-1.10.3-57.el6.x86_64

然后再次./certbot-auto,直接后面的操作出现如下提示要求输入 email 地址,

[root@hexingxing certbot]# ./certbot-auto
Creating virtual environment...
Installing Python packages...
Installation succeeded.
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: 
Python 2.6 is no longer supported by the Python core team, please upgrade your Python. 
A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): //输入你常用的邮箱地址

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a //接受协议或条款之类,必选 a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n //是不是愿意公开你的邮箱地址,按自己想法

How would you like to authenticate and install certificates?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Nginx Web Server plugin - Alpha (nginx)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 //选择 apache 或 nginx 程序
Plugins selected: Authenticator nginx, Installer nginx
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): //第一种情况:没有检测到域名配置文件,手动输入域名

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: test.hexingxing.cn //第二种情况,如果是已配置 SSL.conf,这里会显示你服务器已配置的域名列表,on:/etc/nginx/conf.d/
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 //选择你要创建证书的域名
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for test.hexingxing.cn
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/conf.d/test.hexingxing.conf for set(['test.hexingxing.cn'])

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 //是否立即生效重定向到 https
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/test.hexingxing.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://test.hexingxing.cn //恭喜! 您已成功启用 https://test.hexingxing.cn

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=test.hexingxing.cn //可以访问这个链接测试你的 HTTPS 质量
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
// 此处省略了很多字,关于证书密钥文件的存放情况以及到期时间

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

90 天后自动续期:
设置自动续期定时任务
先使用以下命令测试手动模拟更新证书

[root@hexingxing ~]# {certbot 的绝对或相对路径}/certbot-auto renew --dry-run

输出类似以下提示说明命令配置正常

[root@hexingxing ~]# -------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

使用 crontab -e 命令设置定时任务,自动更新证书

[root@hexingxing ~]# crontab -e
0 3 1 * * {certbot 的绝对或相对路径}/certbot-auto renew >> /var/log/le-renew.log

执行时间为:每个月的 1 日凌晨 3 点 0 分 执行 renew 任务
执行以下命令后查看输出的日志是否正常,一般不到指定更新时间内输出 “No renewals were attempted.” 提示

[root@hexingxing ~]# {certbot 的绝对或相对路径}/certbot-auto renew >> /var/log/le-renew.log

如果需要强制执行,可使用以下命令,输出的内容会提示已经更新。

[root@hexingxing ~]# {certbot 的绝对或相对路径}/certbot-auto renew --force-renew

nginx https 证书配置

HTTP 301 重定向 HTTPS