前言
自己做了一个博客,需要访问自己的网站获取数据,但是系统默认只能直接访问https的网站。不想让应用改用http的服务。因此,研究如何启用https,本文即是介绍如何在CentOS上配合Nginx使用CertBot。
环境
-
Ubuntu
-
Nginx
安装CertBot
命令行,键入:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
然后,可以使用以下命令安装certbot:
sudo apt-get install certbot python-certbot-nginx
生成证书
sudo certbot --nginx
剩下的一切会自动完成。Certbot 会自动帮你注册账户,检测 Nginx 配置文件中的域名,询问你为哪些域名生成证书,是否将 Http 重定向到 Https 等等,最后帮你自动修改 Nginx 配置并重启,这时你的网站已经变成了 Https。
但Certbot没有给你自动修改Nginx配置时,这时候需要自己配置
如果提示:
IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at/etc/letsencrypt/live/your.domain.com/fullchain.pem. Your certwill expire on 20XX-09-23. To obtain a new or tweaked version ofthis certificate in the future, simply run certbot again. Tonon-interactively renew *all* of your certificates, run "certbotrenew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donateDonating to EFF: https://eff.org/donate-le
证书生成成功!
配置Nginx
目前已经自动帮我们配置证书了,我们可以看下配置的形式,后续可以自己配置。
server {server_name bbs.wzlinux.com; # managed by Certbotroot /usr/share/nginx/html;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;location / {}error_page 404 /404.html;location = /40x.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}listen [::]:443 ssl ipv6only=on; # managed by Certbotlisten 443 ssl; # managed by Certbotssl_certificate /etc/letsencrypt/live/bbs.wzlinux.com/fullchain.pem; # managed by Certbotssl_certificate_key /etc/letsencrypt/live/bbs.wzlinux.com/privkey.pem; # managed by Certbotinclude /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbotssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot}server {if ($host = bbs.wzlinux.com) {return 301 https://$host$request_uri;} # managed by Certbotlisten 80 ;listen [::]:80 ;server_name bbs.wzlinux.com;return 404; # managed by Certbot}
启用443端口
同样,修改Nginx的虚拟主机配置文件,新建一个443端口的server配置:
server {listen 443 ssl;listen [::]:443 ssl ipv6only=on;ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;// ... other settings ...
}
上面记得替换your.domain.com
为你自己的域名。
接着重新加载Nginx配置:
sudo service nginx reload
现在通过浏览器访问你的网站:https://your.domain.com
试试,如果看到浏览器的绿色标志,恭喜你设置成功!
不过由于这个证书的时效只有90天,我们需要设置自动更新的功能,帮我们自动更新证书的时效。
自动更新证书
先在命令行模拟证书更新:
sudo certbot renew --dry-run
模拟更新成功的效果如下:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/your.domain.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)Congratulations, all renewals succeeded. The following certs have been renewed:/etc/letsencrypt/live/your.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
既然模拟成功,我们就使用crontab -e
的命令来启用自动任务,命令行:
sudo crontab -e
添加配置:
0 4 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
上面的执行时间为:每天执行renew任务。
你可以在命令行执行/usr/bin/certbot renew >> /var/log/le-renew.log
看看是否执行正常,如果一切OK,那么我们的配置到此结束!
参考
-
Certbot官网
-
LetsEncrypt Nginx and Proxy Apps on Ubuntu