一、HTTPS证书
本文介绍服务器端免费的配置HTTPS证书。
使用Let’s Encrypt证书,安全性优良,各大厂商都支持,还能实现自动更新有效期
二、准备
- linux
- python
- git
三、步骤
#路径 存放源代码路径
#获取letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
#进入letsencrypt目录
cd letsencrypt
#生成证书 --email后填写自己的邮箱 -d 后面填写需要配置证书的域名(支持多个哦)
# ./letsencrypt-auto certonly --standalone --email xsj34567@163.com -d blogyw.meizhangzheng.com 2021.03弃用
yum install epel-release # 安装epel
yum install snapd # 安装snapd
systemctl enable --now snapd.socket # 启用snapd.socket
ln -s /var/lib/snapd/snap /snap # 创建软链接
snap install --classic certbot # 安装certbot
ln -s /snap/bin/certbot /usr/bin/certbot # 创建certbot软链接
# 如果之前安装过Certbot出现了问题,可以进行重装
yum remove certbot # 卸载certbot
rm /usr/local/bin/certbot-auto # 删除安装文件
rm -rf /opt/eff.org/certbot
# //生成证书
certbot certonly --standalone --email xsj34567@163.com -d blogyw.meizhangzheng.com
# 证书路径
# Certificate is saved at: /etc/letsencrypt/live/blogyw.meizhangzheng.com/fullchain.pem
# Key is saved at: /etc/letsencrypt/live/blogyw.meizhangzheng.com/privkey.pem
Certbot配置Let’s Encrypt的https_ssl证书以及过程中出现的问题(2021更新)
启动Nignx (注意挂载路径)
docker run -d -p 80:80 -p 443:443 --name nginx -v /etc/letsencrypt/live/blogyw.meizhangzheng.com/:/etc/letsencrypt/live/blogyw.meizhangzheng.com/:rw -v /usr/meizhangzheng/git/:/usr/meizhangzheng/git/:rw -v /usr/meizhangzheng/nginx/vhosts/:/etc/nginx/conf.d/:ro meizhangzheng/nginx
#1. 查找生成CA路径:
find -name certbot
#2. 系统目录
/usr/meizhangzheng/nginx/vhosts/ssl/domain/letsencrypt/certbot
#3. 关掉80端口:
docker stop nginx
#4. 执行命令(注意当前路径:/usr/meizhangzheng/nginx/vhosts/ssl/domain/letsencrypt/)
certbot certonly certonly --standalone --email xsj34567@163.com -d blogyw.meizhangzheng.com
#5. 修改文件名(有可能不修改)
cd /etc/letsencrypt/archive/blogyw.meizhangzheng.com/
mv cert2.pem cert1.pem
mv chain2.pem chain1.pem
mv fullchain2.pem fullchain1.pem
mv fullchain2.pem fullchain1.pem
#6. 启动服务:
docker restart nginx
server {
listen 80;
server_name blogyw.meizhangzheng.com;
#root /usr/meizhangzheng/git/xushj.gitee.io;
rewrite ^(.*)$ https://$host$1 permanent;
error_page 500 502 503 504 /50x.html;
location ~ /* {
root /usr/meizhangzheng/git/xushj.gitee.io/_site;
index index.html index.htm;
}
}
server {
# listen 443 ssl;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
# #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#
# #ssl_certificate /etc/nginx/vhosts/ssl/blogyw/ssl.pem;
# #ssl_certificate_key /etc/nginx/vhosts/ssl/blogyw/ssl.key;
#
ssl_certificate "/etc/letsencrypt/archive/blogyw.meizhangzheng.com/fullchain1.pem";
ssl_certificate_key "/etc/letsencrypt/archive/blogyw.meizhangzheng.com/privkey1.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
server_name blogyw.meizhangzheng.com;
root /usr/meizhangzheng/git/xushj.gitee.io/_site;
error_page 500 502 503 504 /50x.html;
error_page 404 /404.html;
error_page 403 /403.html;
location = /50x.html {
root /htdocs/blogyw_error_page;
}
location = /404.html {
root /htdocs/blogyw_error_page;
}
location = /403.html {
root /htdocs/blogyw_error_page;
}
}