参考帖子

https://www.cnblogs.com/lzpong/p/6433189.html

https://www.cnblogs.com/756623607-zhang/p/11638506.html

https://blog.csdn.net/qq_42649185/article/details/90266696

注意:

使用此方法获取的证书,只能使用3个月,3个月后需要更新一下,证书.

cd ~ //到家目录里

wget https://dl.eff.org/certbot-auto //下载角本

chmod a+x certbot-auto //加权限

service nginx stop 或者 systemctl stop nginx 或者 pkill -9 nginx //停止nginx  (实测可以跳过)

[root@iZ2ze505h9bgsbp83ct28pZ ~]# ./certbot-auto

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Apache Web Server plugin (apache)

2: Nginx Web Server plugin (nginx)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

** Invalid input **

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: phpmyadmin.haimait.com

2: test.haimait.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 2

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for test.haimait.com

nginx: [error] invalid PID number "" in "/run/nginx.pid"

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /etc/nginx/conf.d/test.haimait.conf

##如果是第一次安装证书会出下面的选择项,选择2

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/test.haimait.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled https://test.haimait.com

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=test.haimait.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

## 如果是之前安装过,会出下面的更新选择项,选择 2 更新和更换证书

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (limit ~5 per 7 days)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate

Deploying Certificate to VirtualHost /etc/nginx/conf.d/api.ibanana.club.conf

Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/api.ibanana.club.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your existing certificate has been successfully renewed, and the new certificate

has been installed.

The new certificate covers the following domains: https://api.ibanana.club

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=api.ibanana.club

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

##出现下面的提现就安装或者更新证书成功了

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/test.haimait.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/test.haimait.com/privkey.pem

   Your cert will expire on 2020-06-03. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again with the "certonly" option. To non-interactively renew *all*

   of your certificates, run "certbot-auto renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

Couldn’t download https://raw.githubusercontent.com/certbot/certbot/ 问题解决

更新证书时出现报错:Couldn’t download https://raw.githubusercontent.com/certbot/certbot/v1.3.0/letsencrypt-auto-source/letsencrypt-auto.发现是阿里云的ECS访问不到github,估计又是GFW的锅,只能修改hosts

1、使用命令打开etc文件夹下面的hosts文件:

vim /etc/hosts

2.增加内容

199.232.4.133 raw.githubusercontent.com

3.重启网络

service network restart

或者

/etc/init.d/network restart

nginx配置

建立文件 /etc/nginx/conf.d/test.haimait.conf

server {

  listen 80;

  server_name  test.haimait.com;

  access_log  /var/log/nginx/test.haimait.access.log;

  error_log  /var/log/nginx/test.haimait.error.log;

  client_max_body_size 10m;

  location ~/(.well-known/pki-valtidation) {

      root /usr/share/nginx/html;

  }

  location / {

 #     add_header Access-Control-Allow-Origin *;

 #     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

 #     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8822;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

      }

  location ~ ^/lovebook/ {

 #     add_header Access-Control-Allow-Origin *;

 #     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

 #     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8833;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

      }

}

server {

   listen       443 ssl;

   server_name  test.haimait.com;

   ssl_certificate /etc/letsencrypt/live/test.haimait.com/fullchain.pem;

   ssl_certificate_key /etc/letsencrypt/live/test.haimait.com/privkey.pem;

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

   ssl_prefer_server_ciphers on;

   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

location / {

#      add_header Access-Control-Allow-Origin *;

#      add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

#      add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8822;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

    }

location ~ ^/lovebook/ {

#     add_header Access-Control-Allow-Origin *;

#     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

#     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8833;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

    }

}

nginx.conf 文件

#   nformation on configuration, see:

#   * Official English Documentation: http://nginx.org/en/docs/

#   * Official Russian Documentation: http://nginx.org/ru/docs/

user root;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {

    worker_connections 1024;

}

http {

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         on;

    keepalive_timeout   300;

    types_hash_max_size 2048;

    # 配置nginx上传文件最大限制

    client_max_body_size 50m;

    include             /etc/nginx/mime.types;

    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.

    # See http://nginx.org/en/docs/ngx_core_module.html#include

    # for more information.

    include /etc/nginx/conf.d/*.conf;

    server {

        listen       80 default_server;

        listen       [::]:80 default_server;

        server_name  _;

       # root         /usr/share/nginx/html;

        root         /wwwroot;

        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;

        location / {

        }

        error_page 404 /404.html;

            location = /40x.html {

        }

        error_page 500 502 503 504 /50x.html;

            location = /50x.html {

        }

#	location ~ .php$ {

#  	  root   /wwwroot;

# 	  fastcgi_pass 127.0.0.1:9000;

# 	  fastcgi_index index.php;

#	  fastcgi_param SCRIPT_FILENAME /wwwroot$fastcgi_script_name;

#	  fastcgi_param PHP_INFO $1;

#	  include  fastcgi_params;

#	}

    }

# Settings for a TLS enabled server.

#

#    server {

#        listen       443 ssl http2 default_server;

#        listen       [::]:443 ssl http2 default_server;

#        server_name  _;

#        root         /usr/share/nginx/html;

#

#        ssl_certificate "/etc/pki/nginx/server.crt";

#        ssl_certificate_key "/etc/pki/nginx/private/server.key";

#        ssl_session_cache shared:SSL:1m;

#        ssl_session_timeout  10m;

#        ssl_ciphers HIGH:!aNULL:!MD5;

#        ssl_prefer_server_ciphers on;

#

#        # Load configuration files for the default server block.

#        include /etc/nginx/default.d/*.conf;

#

#        location / {

#        }

#

#        error_page 404 /404.html;

#            location = /40x.html {

#        }

#

#        error_page 500 502 503 504 /50x.html;

#            location = /50x.html {

#        }

#    }

}

service nginx start 或者 systemctl start nginx //启动nginx

systemctl reload nginx

systemctl stop nginx

systemctl reload nginx

netstart -tpln

效果:

更新证书

# 更新证书

./certbot-auto renew --dry-run

# 如果不需要返回的信息,可以用静默方式

certbot renew --quiet

#手动更新

./certbot-auto renew -v

#自动更新

./certbot-auto renew --quiet --no-self-upgrade

#定时更新

加入定时任务  crontab -e

0 4 1 */2 *  /usr/bin/certbot-auto  renew --quiet    #每两个月的一号凌晨4点更新一次

用 Certbot-auto 在 letsencrypt.org申请免费 SSL 证书实现 HTTPS的更多相关文章

  1. 让网站永久拥有HTTPS - 申请免费SSL证书并自动续期 Let’s Encrypt

    让网站永久拥有HTTPS - 申请免费SSL证书并自动续期 Let’s Encrypt 为什么要用HTTPS  网站没有使用HTTPS的时候,浏览器一般会报不安全,而且在别人访问这个网站的时候,很有可 ...

  2. 最新阿里云申请免费SSL证书实现网站HTTPS化(图文教程一)

    一.申请免费SSL证书: 1.登录阿里云: 2.领取代金券礼包: https://promotion.aliyun.com/ntms/yunparter/invite.html?userCode=0a ...

  3. 阿里云申请免费SSL证书,并配置到Tomcat,实现https访问

    第一步:阿里云免费https证书安装  https://jingyan.baidu.com/article/fdffd1f8619481f3e98ca196.html 第二步:阿里云申请免费SSL证书 ...

  4. 最新阿里云服务器免费SSL证书配置HTTPS的两种方法(图文教程二)

    在大家学习如何利用免费SSL证书配置网站HTTPS之前,我们先要搞清楚为什么要开启HTTPS,这个绿色的小锁真的有用吗?所谓的HTTPS其实是(安全套接字层超文本传输协议)是以安全为目标的HTTP通道 ...

  5. windows下 申请免费ssl证书的方法 (letsencrypt)

    Let's Encrypt,官网是https://letsencrypt.org/,它是一个由各大公司赞助的公益组织: 有趋势有需求,自然也有免费可用.免费的SSL证书中,首推就是Let's Encr ...

  6. 物联网架构成长之路(20)-申请免费SSL证书

    0.前言 今天域名备案申请下来了,接下来就是申请个SSL证书,现在普通的网站没有SSL都不好意思见人了.可是稍微好点的企业级SSL证书还是比较贵的.不过还好有免费的可以用.只不过要定时去续时间.这个不 ...

  7. [从零开始搭网站六]为域名申请免费SSL证书(https),并为Tomcat配置https域名所用的多SSL证书

    点击下面连接查看从零开始搭网站全系列 从零开始搭网站 由于国内的网络环境比较恶劣,运营商流量劫持的情况比较严重,一般表现为别人打开你的网站的时候会弹一些莫名其妙的广告...更过分的会跳转至别的网站. ...

  8. Certbot为域名申请免费SSL证书

    Certbot(Let's Encrypt)是一个非盈利性认证机构通过运行互联网安全研究小组(ISRG)提供X.509 证书的传输层安全性不收取任何费用(TLS)加密.证书有效期为90天,在此期间可以 ...

  9. Let's Encrypt申请免费SSL证书

    1.https的作用 安全,防止网站被劫持,数据被修改 2.Let's Encrypt是什么 Let's Encrypt是一个证书授权机构(CA),可以从Let's Encrypt获得网站域名的免费证 ...

  10. 申请免费ssl证书

    #安装certbotyum install epel-releaseyum install certbot#配置nginx,到需要申请证书的配置文件里添加location ^~ /.well-know ...

随机推荐

  1. 通过位运算修改指定bit位的值

    通过位运算将指定位的值置0或1 问题样例 假如现在有一个8bit二进制数A,其可以为任何值,所以这里不妨先设A=(xxxxxxxx)2,{x|0,1} 现在需要你将A的几个指定位修改为1或0,例如将A ...

  2. 5 更换npm为国内镜像

    更改npm为国内镜像 在终端执行. npm set registry http://registry.npmmirror.com 首先, 打开"我的电脑". 找到"c盘中 ...

  3. #排列组合,背包#CF232B Table

    题目 有一个 \(n\times m\) 的矩阵,求使得每个 \(n\times n\) 的矩阵中都有正好 \(k\) 个点的方案数. 分析 考虑到如果确定了前 \(n\) 列的选点个数,那么对于一列 ...

  4. 【FAQ】HarmonyOS SDK 闭源开放能力 —Push Kit(2)

    1.问题描述: 开发服务端推送,客户端能收到离线推送,但是推送收到的通知只能从手机顶部下拉看到,无法收到一个顶部的弹框.请问是什么原因? 解决方案: 可能原因一: 消息提醒的方式与消息类别有关,比如: ...

  5. Windows编译PDF库:libharu

    libharu编译需要libpng,libpng依赖zlib,所以需要下载这三个库 libharu下载:http://libharu.org/ libpng下载:http://www.libpng.o ...

  6. Makefile编写模板 & 学习笔记

    一.模板 # 伪命令 .PHONY: clean compileSo compileExe run: compileExe @./main compileExe: compileSo @g++ mai ...

  7. HarmonyOS远端状态订阅开发实例

     IPC/RPC提供对远端Stub对象状态的订阅机制, 在远端Stub对象消亡时,可触发消亡通知告诉本地Proxy对象.这种状态通知订阅需要调用特定接口完成,当不再需要订阅时也需要调用特定接口取消.使 ...

  8. 树模型-C4.5

    C4.5: ID3的改进版本 首先,C4.5和ID3一样都是多叉树,重点是连续特征处理+特征选择的方式不同. ID3算法存在的不足, 在C4.5里面有了改进 有那些改进 不能处理连续特征的问题 C4. ...

  9. CentOS GNOME桌面下安装截图工具gnome-screenshot

    CentOS GNOME桌面下安装截图工具gnome-screenshot 1.光盘安装 (1).把镜像光盘放进电脑 (2).切换到 Packages (3).[root@localhost Pack ...

  10. 重新点亮linux 命令树————修改网络配置[十一四]

    前言 整理一下网络配置的修改. 正文 网络配置命令 ifconfig <接口> <ip地址> [netmask 子网掩码] ifup <接口> ifdown < ...