Certbot网站已经很好地解释了大多数Linux OS和情况的所有步骤。只要仔细阅读步骤,您就不会错。 //certbot.eff.org/
这篇文章是为了记录我在CentOS 7上运行的Nginx Web服务器上的那些步骤,以供我自己记笔记:

访问Certbot以获得指导


安装和运行Certbot的说明


  1. SSH进入服务器
    通过具有sudo特权的用户SSH进入运行HTTP网站的服务器。
  2. 启用EPEL回购
    您需要启用EPEL(Enterprise 的Linux的额外软件包)存储库。
    请按照以下说明进行操作 Fedora Wiki启用EPEL .
  3. 启用可选频道
    如果您使用的是RHEL或Oracle 的Linux,则还需要启用可选通道。在EC2上,RHEL用户可以通过运行以下命令来启用可选通道,在命令中用EC2区域替换REGION:
    1. yum -y install yum-utils
    2. yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
  4. 安装Certbot
    在计算机上的命令行上运行此命令以安装Certbot。
    sudo yum install certbot python2-certbot-nginx
  5. 选择您想如何运行Certbot
    • 要么获取并安装您的证书…
      运行此命令以获取证书,并让Certbot自动编辑Nginx中国体育彩票开奖以为其提供服务,只需一步即可打开HTTPS访问。
      sudo certbot --nginx
    • 或者,只需获得证书
      如果您感到比较保守,想手动更改Nginx中国体育彩票开奖,请运行此命令。
      sudo certbot certonly --nginx
  6. 设置自动续订
    我们建议运行以下行,这会将cron作业添加到默认crontab中。
    echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
  7. 确认Certbot工作正常
    要确认您的网站设置正确,请访问 //yourwebsite.com/ 在浏览器中,然后在网址栏中查找锁定图标。如果要检查是否已安装了最高级的安装,可以转到 //www.ssllabs.com/ssltest/.

在运行Certbot来应用证书之前:

应用certbot更改后:

正在运行的Certbot的输出:

[[email protected] docker2.51sec.org]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: docker2.51sec.org
2: docker2.itprosec.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for docker2.itprosec.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/docker2.itprosec.com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works 上 HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled //docker2.itprosec.com

You should test your configuration at:
//www.ssllabs.com/ssltest/analyze.html?d=docker2.itprosec.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/docker2.itprosec.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/docker2.itprosec.com/privkey.pem
   Your cert will expire 上 2020-08-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   //letsencrypt.org/donate
   Donating to EFF:                    //eff.org/donate-le

[[email protected] docker2.51sec.org]#

网站中国体育彩票开奖文件上的更改

在CertBot在docker2.51sec.org上安装证书之前
[[email protected] conf.d]# cat docker2.51sec.org.conf
server {
    listen 80;
    server_name  docker2.51sec.org;

location / {
    proxy_pass       http://127.0.0.1:9000;
    proxy_redirect             off;
    proxy_http_version         1.1;
    proxy_set_header Upgrade   $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

安装ssl证书后


[[email protected] conf.d]# cat docker2.51sec.org.conf
server {
    server_name  docker2.51sec.org;

location / {
    proxy_pass       http://127.0.0.1:9000;
    proxy_redirect             off;
    proxy_http_version         1.1;
    proxy_set_header Upgrade   $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/docker2.51sec.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/docker2.51sec.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = docker2.51sec.org) {
        return 301 //$host$request_uri;
    } # managed by Certbot


    listen       80;
    server_name  docker2.51sec.org;
    return 404; # managed by Certbot


}[[email protected] conf.d]#

证书位置为@ / etc / letsencrypt /:


[[email protected] /]# cd /etc/letsencrypt/
[[email protected] letsencrypt]# ls
accounts  archive  csr  keys  live  options-ssl-nginx.conf  renewal  renewal-hooks  ssl-dhparams.pem
[[email protected] letsencrypt]# cd archive/
[[email protected] archive]# ls
docker2.51sec.org
[[email protected] archive]# cd docker2.51sec.org/
[[email protected] docker2.51sec.org]# ls
cert1.pem  chain1.pem  fullchain1.pem  privkey1.pem
[[email protected] docker2.51sec.org]# cd ../../live
[[email protected] live]# ls
docker2.51sec.org  README
[[email protected] live]# cd docker2.51sec.org/
[[email protected] docker2.51sec.org]# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README
[[email protected] docker2.51sec.org]#

通过 约翰扬

发表评论