参考帖子

https://www.cnblogs.com/lzpong/p/6433189.html

https://www.cnblogs.com/756623607-zhang/p/11638506.html

https://blog.csdn.net/qq_42649185/article/details/90266696

注意:

使用此方法获取的证书,只能使用3个月,3个月后需要更新一下,证书.

cd ~ //到家目录里

wget https://dl.eff.org/certbot-auto //下载角本

chmod a+x certbot-auto //加权限

service nginx stop 或者 systemctl stop nginx 或者 pkill -9 nginx //停止nginx  (实测可以跳过)

[root@iZ2ze505h9bgsbp83ct28pZ ~]# ./certbot-auto

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Apache Web Server plugin (apache)

2: Nginx Web Server plugin (nginx)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

** Invalid input **

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: phpmyadmin.haimait.com

2: test.haimait.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 2

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for test.haimait.com

nginx: [error] invalid PID number "" in "/run/nginx.pid"

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /etc/nginx/conf.d/test.haimait.conf

##如果是第一次安装证书会出下面的选择项,选择2

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/test.haimait.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled https://test.haimait.com

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=test.haimait.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

## 如果是之前安装过,会出下面的更新选择项,选择 2 更新和更换证书

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (limit ~5 per 7 days)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate

Deploying Certificate to VirtualHost /etc/nginx/conf.d/api.ibanana.club.conf

Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/api.ibanana.club.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your existing certificate has been successfully renewed, and the new certificate

has been installed.

The new certificate covers the following domains: https://api.ibanana.club

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=api.ibanana.club

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

##出现下面的提现就安装或者更新证书成功了

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/test.haimait.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/test.haimait.com/privkey.pem

   Your cert will expire on 2020-06-03. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again with the "certonly" option. To non-interactively renew *all*

   of your certificates, run "certbot-auto renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

Couldn’t download https://raw.githubusercontent.com/certbot/certbot/ 问题解决

更新证书时出现报错:Couldn’t download https://raw.githubusercontent.com/certbot/certbot/v1.3.0/letsencrypt-auto-source/letsencrypt-auto.发现是阿里云的ECS访问不到github,估计又是GFW的锅,只能修改hosts

1、使用命令打开etc文件夹下面的hosts文件:

vim /etc/hosts

2.增加内容

199.232.4.133 raw.githubusercontent.com

3.重启网络

service network restart

或者

/etc/init.d/network restart

nginx配置

建立文件 /etc/nginx/conf.d/test.haimait.conf

server {

  listen 80;

  server_name  test.haimait.com;

  access_log  /var/log/nginx/test.haimait.access.log;

  error_log  /var/log/nginx/test.haimait.error.log;

  client_max_body_size 10m;

  location ~/(.well-known/pki-valtidation) {

      root /usr/share/nginx/html;

  }

  location / {

 #     add_header Access-Control-Allow-Origin *;

 #     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

 #     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8822;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

      }

  location ~ ^/lovebook/ {

 #     add_header Access-Control-Allow-Origin *;

 #     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

 #     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8833;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

      }

}

server {

   listen       443 ssl;

   server_name  test.haimait.com;

   ssl_certificate /etc/letsencrypt/live/test.haimait.com/fullchain.pem;

   ssl_certificate_key /etc/letsencrypt/live/test.haimait.com/privkey.pem;

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

   ssl_prefer_server_ciphers on;

   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

location / {

#      add_header Access-Control-Allow-Origin *;

#      add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

#      add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8822;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

    }

location ~ ^/lovebook/ {

#     add_header Access-Control-Allow-Origin *;

#     add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";

#     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";

      proxy_pass  http://127.0.0.1:8833;

      proxy_redirect     off;

      proxy_set_header   Host             $host;

      proxy_set_header   X-Real-IP        $remote_addr;

      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

      proxy_max_temp_file_size 0;

      proxy_connect_timeout      90;

      proxy_send_timeout         300;

      proxy_read_timeout         300;

      proxy_buffer_size          4k;

      proxy_buffers              4 32k;

      proxy_busy_buffers_size    64k;

      proxy_temp_file_write_size 64k;

    }

}

nginx.conf 文件

#   nformation on configuration, see:

#   * Official English Documentation: http://nginx.org/en/docs/

#   * Official Russian Documentation: http://nginx.org/ru/docs/

user root;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {

    worker_connections 1024;

}

http {

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         on;

    keepalive_timeout   300;

    types_hash_max_size 2048;

    # 配置nginx上传文件最大限制

    client_max_body_size 50m;

    include             /etc/nginx/mime.types;

    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.

    # See http://nginx.org/en/docs/ngx_core_module.html#include

    # for more information.

    include /etc/nginx/conf.d/*.conf;

    server {

        listen       80 default_server;

        listen       [::]:80 default_server;

        server_name  _;

       # root         /usr/share/nginx/html;

        root         /wwwroot;

        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;

        location / {

        }

        error_page 404 /404.html;

            location = /40x.html {

        }

        error_page 500 502 503 504 /50x.html;

            location = /50x.html {

        }

#	location ~ .php$ {

#  	  root   /wwwroot;

# 	  fastcgi_pass 127.0.0.1:9000;

# 	  fastcgi_index index.php;

#	  fastcgi_param SCRIPT_FILENAME /wwwroot$fastcgi_script_name;

#	  fastcgi_param PHP_INFO $1;

#	  include  fastcgi_params;

#	}

    }

# Settings for a TLS enabled server.

#

#    server {

#        listen       443 ssl http2 default_server;

#        listen       [::]:443 ssl http2 default_server;

#        server_name  _;

#        root         /usr/share/nginx/html;

#

#        ssl_certificate "/etc/pki/nginx/server.crt";

#        ssl_certificate_key "/etc/pki/nginx/private/server.key";

#        ssl_session_cache shared:SSL:1m;

#        ssl_session_timeout  10m;

#        ssl_ciphers HIGH:!aNULL:!MD5;

#        ssl_prefer_server_ciphers on;

#

#        # Load configuration files for the default server block.

#        include /etc/nginx/default.d/*.conf;

#

#        location / {

#        }

#

#        error_page 404 /404.html;

#            location = /40x.html {

#        }

#

#        error_page 500 502 503 504 /50x.html;

#            location = /50x.html {

#        }

#    }

}

service nginx start 或者 systemctl start nginx //启动nginx

systemctl reload nginx

systemctl stop nginx

systemctl reload nginx

netstart -tpln

效果:

更新证书

# 更新证书

./certbot-auto renew --dry-run

# 如果不需要返回的信息,可以用静默方式

certbot renew --quiet

#手动更新

./certbot-auto renew -v

#自动更新

./certbot-auto renew --quiet --no-self-upgrade

#定时更新

加入定时任务  crontab -e

0 4 1 */2 *  /usr/bin/certbot-auto  renew --quiet    #每两个月的一号凌晨4点更新一次

用 Certbot-auto 在 letsencrypt.org申请免费 SSL 证书实现 HTTPS的更多相关文章

  1. 让网站永久拥有HTTPS - 申请免费SSL证书并自动续期 Let’s Encrypt

    让网站永久拥有HTTPS - 申请免费SSL证书并自动续期 Let’s Encrypt 为什么要用HTTPS  网站没有使用HTTPS的时候,浏览器一般会报不安全,而且在别人访问这个网站的时候,很有可 ...

  2. 最新阿里云申请免费SSL证书实现网站HTTPS化(图文教程一)

    一.申请免费SSL证书: 1.登录阿里云: 2.领取代金券礼包: https://promotion.aliyun.com/ntms/yunparter/invite.html?userCode=0a ...

  3. 阿里云申请免费SSL证书,并配置到Tomcat,实现https访问

    第一步:阿里云免费https证书安装  https://jingyan.baidu.com/article/fdffd1f8619481f3e98ca196.html 第二步:阿里云申请免费SSL证书 ...

  4. 最新阿里云服务器免费SSL证书配置HTTPS的两种方法(图文教程二)

    在大家学习如何利用免费SSL证书配置网站HTTPS之前,我们先要搞清楚为什么要开启HTTPS,这个绿色的小锁真的有用吗?所谓的HTTPS其实是(安全套接字层超文本传输协议)是以安全为目标的HTTP通道 ...

  5. windows下 申请免费ssl证书的方法 (letsencrypt)

    Let's Encrypt,官网是https://letsencrypt.org/,它是一个由各大公司赞助的公益组织: 有趋势有需求,自然也有免费可用.免费的SSL证书中,首推就是Let's Encr ...

  6. 物联网架构成长之路(20)-申请免费SSL证书

    0.前言 今天域名备案申请下来了,接下来就是申请个SSL证书,现在普通的网站没有SSL都不好意思见人了.可是稍微好点的企业级SSL证书还是比较贵的.不过还好有免费的可以用.只不过要定时去续时间.这个不 ...

  7. [从零开始搭网站六]为域名申请免费SSL证书(https),并为Tomcat配置https域名所用的多SSL证书

    点击下面连接查看从零开始搭网站全系列 从零开始搭网站 由于国内的网络环境比较恶劣,运营商流量劫持的情况比较严重,一般表现为别人打开你的网站的时候会弹一些莫名其妙的广告...更过分的会跳转至别的网站. ...

  8. Certbot为域名申请免费SSL证书

    Certbot(Let's Encrypt)是一个非盈利性认证机构通过运行互联网安全研究小组(ISRG)提供X.509 证书的传输层安全性不收取任何费用(TLS)加密.证书有效期为90天,在此期间可以 ...

  9. Let's Encrypt申请免费SSL证书

    1.https的作用 安全,防止网站被劫持,数据被修改 2.Let's Encrypt是什么 Let's Encrypt是一个证书授权机构(CA),可以从Let's Encrypt获得网站域名的免费证 ...

  10. 申请免费ssl证书

    #安装certbotyum install epel-releaseyum install certbot#配置nginx,到需要申请证书的配置文件里添加location ^~ /.well-know ...

随机推荐

  1. how to install local jar to maven repository

    如何把maven不能引入的依赖安装到本地Repository: 1.比如fastdfs-client-java. <dependency> <groupId>org.csour ...

  2. k8s CustomResourceDefinition invalid 错误

    安装 CRD 出现这个错误,多数是版本问题,缺少openAPIV3Schema段定义. The CustomResourceDefinition "crontabs.stable.examp ...

  3. ET介绍——事件机制EventSystem

    事件机制EventSystem ECS最重要的特性一是数据跟逻辑分离,二是数据驱动逻辑.什么是数据驱动逻辑呢?不太好理解,我们举个例子 一个moba游戏,英雄都有血条,血条会在人物头上显示,也会在左上 ...

  4. #并查集#JZOJ 4223 旅游

    题目 多次询问有多少个无序点对\((x,y)\), 满足至少有一条最大边权\(\leq d\)的路径 分析 离线询问,用并查集加边,每次产生的贡献为\(2*siz[x]*siz[y]\) 代码 #in ...

  5. USACO 4.1

    目录 洛谷 2737 麦香牛块 分析 代码 洛谷 2738 篱笆回路 分析 代码 麦香牛块洛谷传送门,麦香牛块USACO传送门,篱笆回路洛谷传送门,篱笆回路USACO传送门 洛谷 2737 麦香牛块 ...

  6. 精彩预告 | OpenHarmony即将亮相MTSC 2023

    MTSC 2023 第 12 届中国互联网测试开发大会(深圳站)即将于 2023 年 11 月 25 日,在深圳登喜路国际大酒店举办,大会将以"1 个主会场+4 个平行分会场"的形 ...

  7. Python 集合(Sets)2

    访问项 您无法通过引用索引或键来访问集合中的项.但是,您可以使用for循环遍历集合项,或者使用in关键字检查集合中是否存在指定的值. 示例,遍历集合并打印值: thisset = {"app ...

  8. chatGPT教你学sql的事务

    事务的隔离级别 事务的隔离级别是指多个并发事务之间相互隔离的程度,主要是为了解决并发事务带来的一致性问题,它的主要作用是控制数据库中事务的可见性和可重复读. 在 SQL 标准中,定义了四种事务隔离级别 ...

  9. SpringBoot2.x<<深入浅出>>

    书籍推荐 书名:深入浅出Spring Boot 2.x 作者:杨开振 出版社:人民邮电出版社 demo: https://gitee.com/threenut/spring-boot 讲的很细致, 把 ...

  10. HarmonyOS Connect认证测试

     原文链接:https://mp.weixin.qq.com/s/zRG97PWPqfDo0vfwQWSUew,点击链接查看更多技术内容:   在HarmonyOS Connect生态产品的认证测试过 ...