一开始考虑国内,但查阅资料之后转向了
Let's Encrypt
原因如下
- 支持泛域名,一次配置全站支持
- 脚本自动更新 SSL 证书
安装
-
安装
certbotLet’s Encrypt 提供的 HTTPS 证书申请的工具
python2-certbot-nginx针对 Nginx 的插件,使得 Nginx 运行的服务申请证书更加简单方便- Centos
# 工具安装 yum install yum-utils -y yum install certbot python2-certbot-nginx -y # 查看 certbot -v # 生成SSL证书 certbot --nginx # 此后进入一系列交互 # 同意协议,邮箱填写,对于nginx配置检索出的域名选择,redirect与否- Ubuntu参考
# 工具安装 sudo apt-get update sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx # 获取 Let’s Encrypt certificate # 比如域名是 abc.cn sudo certbot --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --installer nginx -d *.abc.cn -d abc.cn # 一路的确定选择确定就可以了 # 待token出现时复制下来,按提示配置域名解析(打开你的域名提供商,添加一个域名解析,选择 TXT 主机记录填入 _acme-challenge 记录值就填入刚才的token) -
成功之后会输出如下信息,不成功注意看报错信息
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# IMPORTANT NOTES:
# - Congratulations! Your certificate and chain have been saved at:
# /etc/letsencrypt/live/abc.cn/fullchain.pem
# Your key file has been saved at:
# /etc/letsencrypt/live/abc.cn/privkey.pem
# Your cert will expire on 2020-02-12. To obtain a new or tweaked
# version of this certificate in the future, simply run certbot again
# with the "certonly" option. To non-interactively renew *all* of
# your certificates, run "certbot renew"
# - If you like Certbot, please consider supporting our work by:
# Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
# Donating to EFF: https://eff.org/donate-le
certbot会在 nginx 配置中写入配置如下
server {
server_name abc.cn www.abc.cn;
location / {
root /home/card;
index index.html index.htm;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/abc.cn/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/abc.cn/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.abc.cn) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = abc.cn) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name abc.cn www.abc.cn;
return 404; # managed by Certbot
}
server {
server_name card.abc.cn;
server_name_in_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# GZIP
gzip on;
gzip_buffers 32 4k;
gzip_comp_level 6;
gzip_min_length 200;
gzip_types text/css text/xml application/javascript;
gzip_vary on;
location / {
root /home/card-admin/dist;
index index.html index.htm;
# 404
try_files $uri $uri/ @router;
add_header Cache-Control 'private, no-store, max-age=0';
}
location @router {
rewrite ^.*$ /index.html last;
}
location /api {
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $http_host;
# proxy_set_header X-Nginx-Proxy true;
# proxy_set_header Connection "";
# proxy_set_header Cookie $http_cookie;
proxy_pass http://127.0.0.1:3001;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/abc.cn/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/abc.cn/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = card.abc.cn) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name card.abc.cn;
return 404; # managed by Certbot
}
自动更新证书
Let's Encrypt证书的有效期是 90 天,但是可以用脚本去更新
# # 更新证书
# certbot renew --dry-run
# 如果不需要返回的信息,可以用静默方式
certbot renew --quiet
- 添加自动执行脚本
# 打开 `/etc/crontab`
# 可以使用crontab定时更新,例如:
# 每月1号5时执行执行一次更新,并重启nginx服务器[分0-59, 时0-23, 日1-31, 月1-12, 周0-7]
0 5 1 * * /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx
踩坑如下
安装过程中可能会报错,环境不一样解决方案略有差异
但是都能找到解决方案
python版本问题,卸载重装指定版本'ascii' codec can't decode byte 0xe5 in position 2字符问题,去掉 nginx 配置中的中文注释pkg_resources.DistributionNotFound:urllib3<1.23 ,>=1.21.1distribution was not found and is required,执行easy_install urllib3==1.21.1
便捷的解决方案
本人未尝试,但一定能解决安装过程众多报错
