起因
各大浏览器会在非https网站显示不安全,且许多应用不允许访问非https网站(例如微信小程序),ssl证书就成了网站的必备选项了,但是大部分的证书是要收费的,当然也有支持申请免费证书的平台,但是不仅需要各种认证资料,而且绝大多数不能自动续签。
certbot是一个免费好用的SSL生成认证配置工具。利用certbot生成的证书是由EEF电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG ( Internet Security Research Group ),这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。这个免费证书不仅免费,而且还相当好用,所以我们就可以利用 Let’s Encrypt 提供的免费证书部署 https 了。
配置方式
本教程适用于Ubuntu20.04,其余系统未测试
首先 python-certbot-nginx 已停止支持,我们应当安装python3-certbot-nginx
1、安装Cerbot
sudo apt-get updatesudo apt-get install software-properties-commonsudo add-apt-repository ppa:certbot/certbotsudo apt-get updatesudo apt-get install python3-certbot-nginx 安装过程中,若出现 W: GPG error: http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4F4EA0AAE5267A6C
可使用以下指令解决,注意后面的key要替换为提示错误中的PUBKEY
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4F4EA0AAE5267A6C补充下Centos下安装方法(未验证):
yum install certbot安装完可能会遇到下面两个错误,对应解决即可
解决 ImportError: cannot import name UnrewindableBodyError
pip install --upgrade urllib3 utils解决 ImportError: 'pyOpenSSL' module missing required functionality
pip install --upgrade --force-reinstall 'requests==2.6.0'安装nginx插件
pip install certbot-nginx2、申请证书
sudo certbot --nginx --nginx-server-root /etc/nginx/ -d xxx.newimg.ltdSaving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ddy.j2do.com
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on [::]:80, ignored
Waiting for verification...
Cleaning up challenges
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on [::]:80, ignored
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/ddy
nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on [::]:80, ignored
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://ddy.j2do.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ddy.j2do.com
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxx.j2do.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxx.j2do.com/privkey.pem
Your cert will expire on 2018-09-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le第一项必须是选择同意(A),第二项无所谓,是将记得邮件地址添加到EFF邮件列表中,发送一些邮件给你,可以选择否(N),这时候证书会自动生成,并根据你的域名,去查找nginx配置,自动修改nginx配置支持https,最后询问你,是否要将http的请求全部重置到https上,配置完成后告诉你一些信息,证书存放在
/etc/letsencrypt位置
3、重启nignx即可
sudo service nginx restart4、自动定时申请更新证书
无论如何要记得更新证书这个事情还是很麻烦,那么certbot提供了一个自动为所有证书重新申请的命令,而且它是智能的,只申请七天内到期的证书
设置crontab命令
0 4 1 * * certbot renew --force-renew
