CentOS 7.4 安装部署SSL证书

时间 2019-11-24

标签 centos 7.4 安装部署 ssl 证书栏目 CentOS 繁體版

原文原文链接

一开始考虑国内，但查阅资料以后转向了Let's Encryptjavascript

缘由以下

支持泛域名，一次配置全站支持
脚本自动更新 SSL 证书

安装

安装

certbot Let’s Encrypt 提供的 HTTPS 证书申请的工具
python2-certbot-nginx 针对 Nginx 的插件，使得 Nginx 运行的服务申请证书更加简单方便css

# 工具安装
yum install yum-utils -y
yum install certbot python2-certbot-nginx -y
# 查看
certbot -v
# 生成SSL证书
certbot --nginx
# 此后进入一系列交互
# 赞成协议,邮箱填写，对于nginx配置检索出的域名选择,redirect与否
复制代码

成功以后会输出以下信息，不成功注意看报错信息

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# IMPORTANT NOTES:
# - Congratulations! Your certificate and chain have been saved at:
# /etc/letsencrypt/live/abc.cn/fullchain.pem
# Your key file has been saved at:
# /etc/letsencrypt/live/abc.cn/privkey.pem
# Your cert will expire on 2020-02-12. To obtain a new or tweaked
# version of this certificate in the future, simply run certbot again
# with the "certonly" option. To non-interactively renew *all* of
# your certificates, run "certbot renew"
# - If you like Certbot, please consider supporting our work by:

# Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
# Donating to EFF: https://eff.org/donate-le
复制代码

certbot会在 nginx 配置中写入配置以下

server {
  server_name abc.cn www.abc.cn;

  location / {
    root /home/card;
    index index.html index.htm;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/abc.cn/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/abc.cn/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = www.abc.cn) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = abc.cn) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen  80;
  server_name abc.cn www.abc.cn;
    return 404; # managed by Certbot
}
复制代码

server {
  server_name card.abc.cn;

  server_name_in_redirect off;
  proxy_set_header Host $host:$server_port;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header REMOTE-HOST $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;



  # GZIP
  gzip  on;
  gzip_buffers 32 4k;
  gzip_comp_level 6;
  gzip_min_length 200;
  gzip_types text/css text/xml application/javascript;
  gzip_vary on;

  location / {
    root /home/card-admin/dist;
    index index.html index.htm;
    # 404
    try_files $uri $uri/ @router;
    add_header Cache-Control 'private, no-store, max-age=0';
  }
  location @router {
    rewrite ^.*$ /index.html last;
  }
  location /api {
    # proxy_set_header X-Real-IP $remote_addr;
    # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # proxy_set_header Host $http_host;
    # proxy_set_header X-Nginx-Proxy true;
    # proxy_set_header Connection "";
    # proxy_set_header Cookie $http_cookie;

    proxy_pass http://127.0.0.1:3001;
  }
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   html;
  }
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/abc.cn/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/abc.cn/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = card.abc.cn) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen  80;
  server_name card.abc.cn;
    return 404; # managed by Certbot
}
复制代码

自动更新证书

Let's Encrypt 证书的有效期是 90 天，可是能够用脚本去更新html

# # 更新证书
# certbot renew --dry-run

# 若是不须要返回的信息，能够用静默方式
certbot renew --quiet
复制代码

添加自动执行脚本

# 打开 `/etc/crontab`

# 能够使用crontab定时更新，例如：
# 每个月1号5时执行执行一次更新，并重启nginx服务器
00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx
复制代码

踩坑以下

安装过程当中可能会报错，环境不同解决方案略有差别
可是都能找到解决方案java

python版本问题,卸载重装指定版本
'ascii' codec can't decode byte 0xe5 in position 2字符问题,去掉 nginx 配置中的中文注释
pkg_resources.DistributionNotFound:urllib3＜1.23 ,＞＝1.21.1distribution was not found and is required,执行easy_install urllib3==1.21.1

便捷的解决方案

本人何尝试,但必定能解决安装过程众多报错python

参考资料

1. SSL证书部署
2. SSL 证书部署过程
3. F5部署SSL证书
4. IIS 部署SSL证书
5. apache部署ssl证书
6. Tomcat部署ssl证书(Linux)
7. centos安装nginx并配置SSL证书
8. win iis6.0 、iis7.0 centos apache ssl 证书安装
9. 安装ssl证书
10. 安装SSL证书
更多相关文章...
• Docker 安装 CentOS - Docker教程
• CentOS Docker 安装 - Docker教程
• Composer 安装与使用
• IntelliJ IDEA安装代码格式化插件