zoukankan      html  css  js  c++  java
  • 免费https/ssl通配证书(letsencrypt)安装

    https://www.qikegu.com/uncategorized/2328

    letsencrypt证书简介

    https已经是网站标配,要启用HTTPS需要从证书颁发机构(CA)购买证书(一种文件类型),便宜的有几百1年,贵的要几千甚至上万1年。

    现在有了letsencrypt证书,就再也不必为证书花钱了。letsencrypt证书是开源免费的,使用letsencrypt证书只需要证明域名是你的就可以。

    安装证书步骤

    我们会在centos环境下安装证书,系统环境及要配置的域名:

    • 系统:centos 7
    • 域名:qikegu.com, *.qikegu.com

    按以下步骤安装证书

    1. 安装letsencrypt证书管理Certbot
    2. 生成证书
    3. NGINX配置证书

    1. 安装letsencrypt证书管理Certbot

    certbot是管理letsencrypt的开源工具:

    安装:

    # yum install certbot
    

    2. 生成证书

    执行命令:

     certbot certonly --preferred-challenges dns --manual -d "*.qikegu.com" -d "qikegu.com"  --server https://acme-v02.api.letsencrypt.org/directory
    

    注意:这里指定了2个域名:*.qikegu.comqikegu.com,前者通配域名并不包含后者,不包含后者访问qikegu.com会产生无效证书错误。

    • certonly - 表示安装模式,certbot可以有安装模式和验证模式
    • -d - 指定域名
    • --manual 手动安装
    • --preferred-challenges dns 使用dns方式证明域名所有权
    • -server - Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定

    过程很简单:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for qikegu.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: y
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.qikegu.com with the following value:
    
    kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    Waiting for verification...
    Cleaning up challenges
    Resetting dropped connection: acme-v02.api.letsencrypt.org
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/qikegu.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/qikegu.com/privkey.pem
       Your cert will expire on 2019-07-09. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    

    上面操作中,中间有个步骤要求为你的域名添加txt解析,这个步骤就是证明域名是你的。

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.qikegu.com with the following value:
    
    kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    

    在域名商(阿里云,腾讯云)域名解析里,添加一条txt记录:

    image

    然后在命令行中,按回车键继续,验证通过生成证书。

    3. NGINX配置证书

    证书已经生成好了,需要配置nginx server,完整配置文件如下:

    server {
            charset utf-8;
            client_max_body_size  200M;
    
            listen   80; ## listen for ipv4; this line is default and implied
            #listen   [::]:80 default ipv6only=on; ## listen for ipv6
    
            # 把xxx替换成你的域名
    
            # Make site accessible from server_name
            server_name xxx.com www.xxx.com;
            root /site/xxx;
            index index.html index.htm index.php;
    
            access_log /var/log/nginx/xxx/access.log;
            error_log /var/log/nginx/xxx/error.log;
    
            return 301 https://$server_name$request_uri; #redirect http to https
    
            location / {
                    # First attempt to serve request as file, then
                    try_files $uri $uri/ /index.php$is_args$args;
            }
    
            # deny accessing php files for the /assets directory
            location ~ ^/assets/.*.php$ {
                    deny all;
            }
    
            location ~ .php$ {
                    try_files $uri =404;
    
                    include fastcgi_params;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                    fastcgi_pass php:9000;
                    #fastcgi_pass unix:/var/run/php5-fpm.sock;
            }
    
            location ~* /. {
                    deny all;
            }
    }
    
    # https server
    server {
            charset utf-8;
            client_max_body_size  200M;
    
            listen 443 ssl;
            #listen   [::]:80 default ipv6only=on; ## listen for ipv6
    
            ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
    
            ssl_session_timeout 5m;
    
            # 把xxx替换成你的域名
    
            # Make site accessible from server_name
            server_name xxx.com www.xxx.com;
            root /site/xxx;
            index index.html index.htm index.php;
    
            access_log /var/log/nginx/xxx/access.log;
            error_log /var/log/nginx/xxx/error.log;
            location / {
                    # First attempt to serve request as file, then
                    try_files $uri $uri/ /index.php$is_args$args;
            }
    
            # deny accessing php files for the /assets directory
            location ~ ^/assets/.*.php$ {
                    deny all;
            }
    
            location ~ .php$ {
                    try_files $uri =404;
    
                    include fastcgi_params;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                    fastcgi_pass php:9000;
                    #fastcgi_pass unix:/var/run/php5-fpm.sock;
                    fastcgi_param HTTPS on;
            }
    
            location ~* /. {
                    deny all;
            }
    }
    
    
  • 相关阅读:
    关于Java中String类的hashCode方法
    重写equal()时为什么也得重写hashCode()之深度解读equal方法与hashCode方法渊源
    vue+eslint+prettier+vetur 使用vscode 前端工程化
    vue webpack 打包优化
    移动端兼容
    vue 跨域使用
    vue2.0性能优化
    前端 mock的使用
    vue 使用Lodash 的throttle(节流)与debounce(防抖
    webpack4 安装及使用
  • 原文地址:https://www.cnblogs.com/jinbuqi/p/10903981.html
Copyright © 2011-2022 走看看