https://www.qikegu.com/uncategorized/2328
letsencrypt證書簡介
https已經是網站標配,要啟用HTTPS需要從證書頒發機構(CA)購買證書(一種文件類型),便宜的有幾百1年,貴的要幾千甚至上萬1年。
現在有了letsencrypt證書,就再也不必為證書花錢了。letsencrypt證書是開源免費的,使用letsencrypt證書只需要證明域名是你的就可以。
安裝證書步驟
我們會在centos環境下安裝證書,系統環境及要配置的域名:
- 系統:centos 7
- 域名:qikegu.com, *.qikegu.com
按以下步驟安裝證書
- 安裝letsencrypt證書管理Certbot
- 生成證書
- NGINX配置證書
1. 安裝letsencrypt證書管理Certbot
certbot是管理letsencrypt的開源工具:
安裝:
# yum install certbot
2. 生成證書
執行命令:
certbot certonly --preferred-challenges dns --manual -d "*.qikegu.com" -d "qikegu.com" --server https://acme-v02.api.letsencrypt.org/directory
注意:這里指定了2個域名:
*.qikegu.com,qikegu.com,前者通配域名並不包含后者,不包含后者訪問qikegu.com會產生無效證書錯誤。
certonly- 表示安裝模式,certbot可以有安裝模式和驗證模式-d- 指定域名--manual手動安裝--preferred-challenges dns使用dns方式證明域名所有權-server- Let’s Encrypt ACME v2 版本使用的服務器不同於 v1 版本,需要顯示指定
過程很簡單:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for qikegu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qikegu.com with the following value:
kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/qikegu.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/qikegu.com/privkey.pem
Your cert will expire on 2019-07-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
上面操作中,中間有個步驟要求為你的域名添加txt解析,這個步驟就是證明域名是你的。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qikegu.com with the following value:
kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
在域名商(阿里雲,騰訊雲)域名解析里,添加一條txt記錄:
然后在命令行中,按回車鍵繼續,驗證通過生成證書。
3. NGINX配置證書
證書已經生成好了,需要配置nginx server,完整配置文件如下:
server {
charset utf-8;
client_max_body_size 200M;
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
# 把xxx替換成你的域名
# Make site accessible from server_name
server_name xxx.com www.xxx.com;
root /site/xxx;
index index.html index.htm index.php;
access_log /var/log/nginx/xxx/access.log;
error_log /var/log/nginx/xxx/error.log;
return 301 https://$server_name$request_uri; #redirect http to https
location / {
# First attempt to serve request as file, then
try_files $uri $uri/ /index.php$is_args$args;
}
# deny accessing php files for the /assets directory
location ~ ^/assets/.*\.php$ {
deny all;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php:9000;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
}
location ~* /\. {
deny all;
}
}
# https server
server {
charset utf-8;
client_max_body_size 200M;
listen 443 ssl;
#listen [::]:80 default ipv6only=on; ## listen for ipv6
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
ssl_session_timeout 5m;
# 把xxx替換成你的域名
# Make site accessible from server_name
server_name xxx.com www.xxx.com;
root /site/xxx;
index index.html index.htm index.php;
access_log /var/log/nginx/xxx/access.log;
error_log /var/log/nginx/xxx/error.log;
location / {
# First attempt to serve request as file, then
try_files $uri $uri/ /index.php$is_args$args;
}
# deny accessing php files for the /assets directory
location ~ ^/assets/.*\.php$ {
deny all;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php:9000;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS on;
}
location ~* /\. {
deny all;
}
}