参考帖子

https://www.cnblogs.com/lzpong/p/6433189.html

https://www.cnblogs.com/756623607-zhang/p/11638506.html

https://blog.csdn.net/qq_42649185/article/details/90266696

注意:

使用此方法获取的证书,只能使用3个月,3个月后需要更新一下,证书.

cd ~ //到家目录里

wget https://dl.eff.org/certbot-auto //下载角本

chmod a+x certbot-auto //加权限

service nginx stop 或者 systemctl stop nginx 或者 pkill -9 nginx //停止nginx  (实测可以跳过)

[root@iZ2ze505h9bgsbp83ct28pZ ~]# ./certbot-auto

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Apache Web Server plugin (apache)

2: Nginx Web Server plugin (nginx)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

** Invalid input **

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: phpmyadmin.haimait.com

2: test.haimait.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 2

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for test.haimait.com

nginx: [error] invalid PID number "" in "/run/nginx.pid"

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /etc/nginx/conf.d/test.haimait.conf

##如果是第一次安装证书会出下面的选择项,选择2

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/test.haimait.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled https://test.haimait.com

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=test.haimait.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

## 如果是之前安装过,会出下面的更新选择项,选择 2 更新和更换证书

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (limit ~5 per 7 days)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate

Deploying Certificate to VirtualHost /etc/nginx/conf.d/api.ibanana.club.conf

Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/api.ibanana.club.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your existing certificate has been successfully renewed, and the new certificate

has been installed.

The new certificate covers the following domains: https://api.ibanana.club

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=api.ibanana.club

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

##出现下面的提现就安装或者更新证书成功了

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/test.haimait.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/test.haimait.com/privkey.pem

   Your cert will expire on 2020-06-03. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again with the "certonly" option. To non-interactively renew *all*

   of your certificates, run "certbot-auto renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

Couldn’t download https://raw.githubusercontent.com/certbot/certbot/ 问题解决

更新证书时出现报错:Couldn’t download https://raw.githubusercontent.com/certbot/certbot/v1.3.0/letsencrypt-auto-source/letsencrypt-auto.发现是阿里云的ECS访问不到github,估计又是GFW的锅,只能修改hosts

1、使用命令打开etc文件夹下面的hosts文件:

vim /etc/hosts

2.增加内容

199.232.4.133 raw.githubusercontent.com

3.重启网络

service network restart

或者

/etc/init.d/network restart

nginx配置

建立文件 /etc/nginx/conf.d/test.haimait.conf

server {

  listen 80;

  server_name  test.haimait.com;

  access_log  /var/log/nginx/test.haimait.access.log;

  error_log  /var/log/nginx/test.haimait.error.log;

  client_max_body_size 10m;

  location ~/(.well-known/pki-valtidation) {

      root /usr/share/nginx/html;

  }

  location / {

 #     add_header Access-Control-Allow-Origin *;

 #     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

 #     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8822;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

      }

  location ~ ^/lovebook/ {

 #     add_header Access-Control-Allow-Origin *;

 #     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

 #     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8833;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

      }

}

server {

   listen       443 ssl;

   server_name  test.haimait.com;

   ssl_certificate /etc/letsencrypt/live/test.haimait.com/fullchain.pem;

   ssl_certificate_key /etc/letsencrypt/live/test.haimait.com/privkey.pem;

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

   ssl_prefer_server_ciphers on;

   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

location / {

#      add_header Access-Control-Allow-Origin *;

#      add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

#      add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8822;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

    }

location ~ ^/lovebook/ {

#     add_header Access-Control-Allow-Origin *;

#     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

#     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8833;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

    }

}

nginx.conf 文件

#   nformation on configuration, see:

#   * Official English Documentation: http://nginx.org/en/docs/

#   * Official Russian Documentation: http://nginx.org/ru/docs/

user root;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {

    worker_connections 1024;

}

http {

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         on;

    keepalive_timeout   300;

    types_hash_max_size 2048;

    # 配置nginx上传文件最大限制

    client_max_body_size 50m;

    include             /etc/nginx/mime.types;

    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.

    # See http://nginx.org/en/docs/ngx_core_module.html#include

    # for more information.

    include /etc/nginx/conf.d/*.conf;

    server {

        listen       80 default_server;

        listen       [::]:80 default_server;

        server_name  _;

       # root         /usr/share/nginx/html;

        root         /wwwroot;

        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;

        location / {

        }

        error_page 404 /404.html;

            location = /40x.html {

        }

        error_page 500 502 503 504 /50x.html;

            location = /50x.html {

        }

#	location ~ .php$ {

#  	  root   /wwwroot;

# 	  fastcgi_pass 127.0.0.1:9000;

# 	  fastcgi_index index.php;

#	  fastcgi_param SCRIPT_FILENAME /wwwroot$fastcgi_script_name;

#	  fastcgi_param PHP_INFO $1;

#	  include  fastcgi_params;

#	}

    }

# Settings for a TLS enabled server.

#

#    server {

#        listen       443 ssl http2 default_server;

#        listen       [::]:443 ssl http2 default_server;

#        server_name  _;

#        root         /usr/share/nginx/html;

#

#        ssl_certificate "/etc/pki/nginx/server.crt";

#        ssl_certificate_key "/etc/pki/nginx/private/server.key";

#        ssl_session_cache shared:SSL:1m;

#        ssl_session_timeout  10m;

#        ssl_ciphers HIGH:!aNULL:!MD5;

#        ssl_prefer_server_ciphers on;

#

#        # Load configuration files for the default server block.

#        include /etc/nginx/default.d/*.conf;

#

#        location / {

#        }

#

#        error_page 404 /404.html;

#            location = /40x.html {

#        }

#

#        error_page 500 502 503 504 /50x.html;

#            location = /50x.html {

#        }

#    }

}

service nginx start 或者 systemctl start nginx //启动nginx

systemctl reload nginx

systemctl stop nginx

systemctl reload nginx

netstart -tpln

效果:

更新证书

# 更新证书

./certbot-auto renew --dry-run

# 如果不需要返回的信息,可以用静默方式

certbot renew --quiet

#手动更新

./certbot-auto renew -v

#自动更新

./certbot-auto renew --quiet --no-self-upgrade

#定时更新

加入定时任务  crontab -e

0 4 1 */2 *  /usr/bin/certbot-auto  renew --quiet    #每两个月的一号凌晨4点更新一次

用 Certbot-auto 在 letsencrypt.org申请免费 SSL 证书实现 HTTPS的更多相关文章

  1. 让网站永久拥有HTTPS - 申请免费SSL证书并自动续期 Let’s Encrypt

    让网站永久拥有HTTPS - 申请免费SSL证书并自动续期 Let’s Encrypt 为什么要用HTTPS  网站没有使用HTTPS的时候,浏览器一般会报不安全,而且在别人访问这个网站的时候,很有可 ...

  2. 最新阿里云申请免费SSL证书实现网站HTTPS化(图文教程一)

    一.申请免费SSL证书: 1.登录阿里云: 2.领取代金券礼包: https://promotion.aliyun.com/ntms/yunparter/invite.html?userCode=0a ...

  3. 阿里云申请免费SSL证书,并配置到Tomcat,实现https访问

    第一步:阿里云免费https证书安装  https://jingyan.baidu.com/article/fdffd1f8619481f3e98ca196.html 第二步:阿里云申请免费SSL证书 ...

  4. 最新阿里云服务器免费SSL证书配置HTTPS的两种方法(图文教程二)

    在大家学习如何利用免费SSL证书配置网站HTTPS之前,我们先要搞清楚为什么要开启HTTPS,这个绿色的小锁真的有用吗?所谓的HTTPS其实是(安全套接字层超文本传输协议)是以安全为目标的HTTP通道 ...

  5. windows下 申请免费ssl证书的方法 (letsencrypt)

    Let's Encrypt,官网是https://letsencrypt.org/,它是一个由各大公司赞助的公益组织: 有趋势有需求,自然也有免费可用.免费的SSL证书中,首推就是Let's Encr ...

  6. 物联网架构成长之路(20)-申请免费SSL证书

    0.前言 今天域名备案申请下来了,接下来就是申请个SSL证书,现在普通的网站没有SSL都不好意思见人了.可是稍微好点的企业级SSL证书还是比较贵的.不过还好有免费的可以用.只不过要定时去续时间.这个不 ...

  7. [从零开始搭网站六]为域名申请免费SSL证书(https),并为Tomcat配置https域名所用的多SSL证书

    点击下面连接查看从零开始搭网站全系列 从零开始搭网站 由于国内的网络环境比较恶劣,运营商流量劫持的情况比较严重,一般表现为别人打开你的网站的时候会弹一些莫名其妙的广告...更过分的会跳转至别的网站. ...

  8. Certbot为域名申请免费SSL证书

    Certbot(Let's Encrypt)是一个非盈利性认证机构通过运行互联网安全研究小组(ISRG)提供X.509 证书的传输层安全性不收取任何费用(TLS)加密.证书有效期为90天,在此期间可以 ...

  9. Let's Encrypt申请免费SSL证书

    1.https的作用 安全,防止网站被劫持,数据被修改 2.Let's Encrypt是什么 Let's Encrypt是一个证书授权机构(CA),可以从Let's Encrypt获得网站域名的免费证 ...

  10. 申请免费ssl证书

    #安装certbotyum install epel-releaseyum install certbot#配置nginx,到需要申请证书的配置文件里添加location ^~ /.well-know ...

随机推荐

  1. #整体二分,树状数组#洛谷 3332 [ZJOI2013]K大数查询

    题目 分析 虽然树套树也可以做,这里考虑整体二分, 对于二分的答案\(mid\),1操作实际上就是如果\(c>mid\)就给区间整体加1, 2操作即询问区间和是否超过\(k\),如果超过\(k\ ...

  2. #莫比乌斯函数,Miller-Rabin#洛谷 3653 小清新数学题

    题目 求\(\sum_{i=l}^r\mu(i),r-l\leq 10^5,1\leq l\leq r\leq 10^{18}\) 分析 其实有一道可以算是弱化版的题目 这种类型的tricks就是枚举 ...

  3. OpenHarmony—内核对象事件之源码详解

    近年来,国内开源实现跨越式发展,并成为企业提升创新能力.生产力.协作和透明度的关键.作为 OpenAtom OpenHarmony(以下简称"OpenHarmony")开源项目共建 ...

  4. 全面的开发者文档和用户目标解析:API 文档指南和开发者旅程

    开发者文档 开发者文档,也称为 API 文档,是一种专门针对软件开发人员的技术写作形式.这种类型的文档通常包括 API 的技术规范.代码注释.软件设计和架构以及软件开发中涉及的其他详细技术描述.开发者 ...

  5. Websphere更新应用文件

    说明: 由于war包中存在安全漏洞或者需要变更里面的某个jar包,此处列举了两种更新方法,不需要重启服务器,只需重启应用. Websphere对部署好的应用更新jar包方法如下:   方式一.手动替换 ...

  6. 【FAQ】HarmonyOS SDK 闭源开放能力 —Asset Store Kitx

    1.问题描述 使用关键资产API需要配置SystemCapability.Security.Asset,但不知道syscap.json文件应该配置在哪里,文档也没找到. 解决方案 新增关键资产等API ...

  7. Qt 设置图标的三种方式

    Qt 设置软件窗口图标有三种方式: 一.通过资源文件,设置图标 this->setWindowIcon(QIcon(":/logo.ico")); 二.通过 pro 文件,设 ...

  8. 模拟SQLserver死锁现象

    SQL Server死锁是指两个或多个事务相互等待对方持有的资源而无法继续执行的情况.当两个或多个事务都持有一些资源并且试图获取其他事务持有的资源时,可能会发生死锁.这种情况下,每个事务都在等待另一个 ...

  9. K8S 性能优化-K8S Node 参数调优

    前言 K8S 性能优化系列文章,本文为第四篇:Kubernetes Node 性能优化参数最佳实践. 系列文章: <K8S 性能优化 - OS sysctl 调优> <K8S 性能优 ...

  10. 单链表实现增删查改等操作(python版本)

    单向链表 : SingleLinkedList 节点类属性: 数据域:value 节点存储的数据 地址域:next 指向下一个节点的地址 链表类属性: 头指针:head 指向链表的第一个节点的地址 尾 ...