用https访问个人网站

/ 技术文章 / 0 条评论 / 589浏览

用https访问个人网站 按照https://certbot.eff.org/lets-encrypt/centosrhel7-nginx的教程安装会遇上Python库找不到的问题 最后查询论坛,还是决定安装Certbot-Auto,这是Certbot出的一个脚本,会自动安装所有依赖和库,对本地环境要求少一些 https://certbot.eff.org/docs/install.html#certbot-auto

下载Certbot-Auto脚本

···

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto
$ ./certbot-auto --help

···

信任HTTPS证书(可选,也可以在安装过程中确认)

···

user@server:~$ wget -N https://dl.eff.org/certbot-auto.asc
user@server:~$ gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
user@server:~$ gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto

···

安装配置nginx插件,按他的引导走下去就行了 ···

$ ./certbot-auto --nginx

···

我安装的时候没有配置重定向所有request,因此原来的80端口还是能访问的 成功之后会有这么一段 ···

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://your.domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your.domain.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your.domain.com/privkey.pem
   Your cert will expire on 2018-07-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

···

这时候就可以用https访问网站了

这时候查看nginx.conf可以看到,加入了下面的配置 ···

 listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

··· 如果nginx版本大于1.9.5可以开启http2 只需要在nginx.conflisten 443 ssl;后面加上http2就好了 然后,就nginx -s reload就好了

let's encrypt的证书默认有效期是90天,所以临近过期的时候,需要更新证书 ···

$ ./certbot-auto renew

···

或者可以把这个命令放到cron任务里去 ···

$ crontab -e

59 23 */29 * * root /root/certbot-auto --nginx
:x

$ crontab -l 

···