一、获得 Let’s Encrypt 证书
1.1 下载certbot-auto
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
1.2 使用 certbot-auto 获得证书
# 获取证书
# -d 后面是你的域名,可以是具体的域名,也可以使用*通配符
# certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
# --manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
# --preferred-challenges dns,使用 DNS 方式校验域名所有权
# --server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
certbot-auto certonly -d *.lazyrabbit.xyz --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
执行完certbot-auto命令之后,需要在命令行中绑定邮箱,同意协议等操作
在确认绑定ip之后需要对域名进行验证
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lazyrabbit.xyz with the following value:
DDa_QY9betWg8lf6yfFte50HgB7JlW3-utpS6XJ5rlM
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
这里需要在自己的域名解析记录中配置一个txt记录,值为给定的内容,二级域名为_acme-challenge,
配置生效之后回车即可生成证书文件,路径为/etc/letsencrypt/live/你的域名/下
这里没有生效回车之后可以再执行上面的certbot-auto命令,默认会保存选择的配置
1.3 使用 certbot-auto 续约证书
Let’s encrypt 的免费证书是有期限的,到期可执行以下命令
certbot-auto renew
可以创建定时任务来定期执行续约命令
crontab -e
0 5 3 * * echo `date -R` >> /var/log/lets.crontab.log; certbot renew --force-renewal >> /var/log/lets.crontab.log 2>&1 ; nginx -s reload
二、nginx 配置https
2.1 nginx安装ssl模块
查看nginx是否安装了ssl模块
nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
如果没有安装,则需要重新编译nginx
./configure --prefix=/usr/local/nginx --with-http_ssl_module
# 这里会覆盖安装,提前做好备份
# 或者只执行make命令,手动将objs/nginx替换到nginx目录下
make&make install
2.2 配置https
在nginx配置文件中新增一个server块,添加ssl配置
ssl_certificate和ssl_certificate_key对应的就是生成的证书文件
# 这个是默认配置文件中的配置
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/letsencrypt/live/lazyrabbit.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lazyrabbit.xyz/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
之后就可以通过https进行访问了,这里要确保443端口是打开的
2.3 强制跳转https
这里我把ssl的部分单独作为一个文件进行引用
# 根域名强制加www
server {
listen 80;
server_name lazyrabbit.xyz;
return 301 https://www.lazyrabbit.xyz$request_uri;
}
# 根域名强制加www
server {
include ssl.conf;
server_name lazyrabbit.xyz;
return 301 https://www.lazyrabbit.xyz$request_uri;
}
# 跳转https
server {
listen 80;
server_name *.lazyrabbit.xyz;
return 301 https://$host$request_uri;
}
# HTTPS server
server {
include ssl.conf;
server_name blog.lazyrabbit.xyz;
root /usr/local/hexo/public;
index index.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
include ssl.conf;
server_name *.lazyrabbit.xyz;
root html/home;
index index.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
ssl.conf
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/lazyrabbit.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lazyrabbit.xyz/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
参考
https://certbot.eff.org/docs/install.html#certbot-auto
https://www.jianshu.com/p/c6f6f277a23d
http://nginx.org/en/docs/http/configuring_https_servers.html