certbot官网:https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

一、安装步骤

1)安装certbot,执行 

sudo yum install certbot python2-certbot-nginx

2)检查是否安装成功,执行 

certbot --help
[root@iz2zeb4argxs74khdclp2dz ~]#  certbot --help

Traceback (most recent call last):

  File "/usr/bin/certbot", line , in <module>

    load_entry_point('certbot==0.38.0', 'console_scripts', 'certbot')()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return get_distribution(dist).load_entry_point(group, name)

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return ep.load()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load

    return self.resolve()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in resolve

    module = __import__(self.module_name, fromlist=['__name__'], level=)

  File "/usr/lib/python2.7/site-packages/certbot/main.py", line , in <module>

    from certbot import account

  File "/usr/lib/python2.7/site-packages/certbot/account.py", line , in <module>

    from acme import messages

  File "/usr/lib/python2.7/site-packages/acme/messages.py", line , in <module>

    from acme import challenges

  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line , in <module>

    import requests

  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line , in <module>

    from . import utils

  File "/usr/lib/python2.7/site-packages/requests/utils.py", line , in <module>

    from .exceptions import InvalidURL

  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line , in <module>

    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError

  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line , in load_module

    raise ImportError("No module named '%s'" % (name,))

ImportError: No module named 'requests.packages.urllib3'

3)解决上面没有requests.packages.urllib3的问题,执行

pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

4)安装证书,执行

sudo certbot --nginx

如:

[root@iz2zeb4argxs74khdclp2dz ~]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

The nginx plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

上面提示信息显示没有找到nginx,那么

需要将nginx放到环境变量中,设置nginx软连接

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

ln -s /usr/local/nginx/conf/ /etc/nginx

再次执行就OK了
sudo certbot --nginx 安装证书
5)然后再一步一步的根据提示进行配置 
如:
[root@iz2zeb4argxs74khdclp2dz sbin]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): @qq.com   // 1)设置邮箱,用于安全提示

Starting new HTTPS connection (): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: a    // 2)同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: n    // 3)不共享你的邮箱

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: admin.talkilla.jiushiyaokuaile.cn

: consultant.talkilla.jiushiyaokuaile.cn

: student.talkilla.jiushiyaokuaile.cn

: teacher.talkilla.jiushiyaokuaile.cn

: wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):     5  // 4)选择需要激活https的域名

Obtaining a new certificate

Performing the following challenges:

http- challenge for admin.talkilla.jiushiyaokuaile.cn

http- challenge for consultant.talkilla.jiushiyaokuaile.cn

http- challenge for student.talkilla.jiushiyaokuaile.cn

http- challenge for teacher.talkilla.jiushiyaokuaile.cn

http- challenge for wechat.talkilla.jiushiyaokuaile.cn

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/admin-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/student-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: No redirect - Make no further changes to the webserver configuration.

: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [-] then [enter] (press 'c' to cancel): 2  // 5)设置是否将http自动重定向到https,1否2是

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/admin-talkilla-http.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/student-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled

https://admin.talkilla.jiushiyaokuaile.cn,

https://consultant.talkilla.jiushiyaokuaile.cn,

https://student.talkilla.jiushiyaokuaile.cn,

https://teacher.talkilla.jiushiyaokuaile.cn, and

https://wechat.talkilla.jiushiyaokuaile.cn

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=admin.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=consultant.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=student.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=teacher.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/privkey.pem

   Your cert will expire on --. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the "certonly" option. To non-interactively renew *all* of

   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

6) 配置自动更新证书

在证书到期之后更新证书,我们可以通过 certbot renew 命令来更新证书
借助 Crontab 来编写一个定时任务,定期强制更新一个这个证书,然后重启 Nginx: 

Crontab 通过 crontab -e 命令编辑,通过 crontab -l 查看。
这样就完成了 SSL 安全证书更新了。 
使用crontab -e 命令:
   * * certbot renew

   * * service nginx restart

注意:

若执行certbot renew时,出现: 'ascii' codec can't decode byte 0xe8 in position 2: ordinal not in range(128) 错误,参考如下:

解决方案

7)当需要安装新的证书

执行:

 sudo certbot run --nginx

【Nginx】使用certbot安装免费https证书使Nginx支持Https请求的更多相关文章

  1. nginx用Certbot配置免费SSL证书(ngx_http_ssl_module模块)

    一.准备工作 1.先安装nginx https://files.cnblogs.com/files/blogs/676936/nginx-1.18.0.sh #nginx-1.18.0版安装脚本2.在 ...

  2. 使用免费SSL证书让网站支持HTTPS访问

    参考掘金的文章,掘金的文章最详细. https://juejin.im/post/5a31cbf76fb9a0450b6664ee 先检查是否存在 EPEL 源: # 进入目录检查是否存在 EPEL ...

  3. handbook/CentOS/使用免费SSL证书让网站支持HTTPS访问.md

  4. 购买https证书以及nginx配置https

    文章来源 运维公会:购买https证书以及nginx配置https 1.https的作用 https的全名是安全超文本传输协议,是在http的基础上增加了ssl加密协议.在信息传输的过程中,信息有可能 ...

  5. 我的Android进阶之旅------>Android关于HttpsURLConnection一个忽略Https证书是否正确的Https请求工具类

    下面是一个Android HttpsURLConnection忽略Https证书是否正确的Https请求工具类,不需要验证服务器端证书是否正确,也不需要验证服务器证书中的域名是否有效. (PS:建议下 ...

  6. 创建免费的证书,实现网站HTTPS

    使用Certbot来实现HTTPS,这边也就考虑采用Cerbot来实现下 配置Certbot 证书 Certbot 的官方网站是 https://certbot.eff.org/ ,打开官网选择的 w ...

  7. 免费申请 HTTPS 证书,开启全站 HTTPS

    作者:HelloGitHub-追梦人物 文中涉及的示例代码,已同步更新到 HelloGitHub-Team 仓库 HTTP 报文以明文形式传输,如果你的网站只支持 HTTP 协议,那么就有可能遭受到安 ...

  8. 新版startssl 免费SSL证书申请 (实测 笔记 https http2 必要条件)

    简单说明: 目前多个大型网站都实现全站HTTPS,而SSL证书是实现HTTPS的必要条件之一. StartSSL是StartCom公司旗下的.提供免费SSL证书服务并且被主流浏览器支持的免费SSL.包 ...

  9. linux 系统自签免费ssl证书和nginx配置

    首先执行如下命令生成一个key openssl genrsa -des3 -out ssl.key 1024 然后他会要求你输入这个key文件的密码.不推荐输入.因为以后要给nginx使用.每次rel ...

随机推荐

  1. QFileInfo().created() 警告 created is deprecated 怎么改?

    有这样一行代码操作: QFileInfo(...).created().toString(...); QtCreator提示警告: 'created' is deprecated 'created' ...

  2. 记遇到的Release和Debug下有些不同

    平常开发用Debug,但是发布的时候用Release,应该是很多单位都会用的,但是有的时候你发现Debug下好使,Release下不好使,这就遇到坑了. 我也是这两天连续遇到了两次,在此记录一下,如果 ...

  3. IDEA-Maven的Dependencies中出现红色波浪线

    解决方法:移除相关依赖,再重新添加即可 情况及具体解决方法如下:1.在Maven Project中 Dependencies 出现红色波浪线 2.查询本地仓库:jar包已存在 3.解决方法:3.1.从 ...

  4. dockerfile 命令

    FROM 功能为指定基础镜像,并且必须是第一条指令. 如果不以任何镜像为基础,那么写法为:FROM scratch. 同时意味着接下来所写的指令将作为镜像的第一层开始 语法: FROM <ima ...

  5. VUE后缀页面调试

    在VUE中Js代码可以直接设置断点进行调试,但是vue文件中点击断点无反应,可以在想要断点的地方增加一行代码即可   debugger

  6. Scala Collection Method

    接收一元函数 map 转换元素,主要应用于不可变集合 (1 to 10).map(i => i * i) (1 to 10).flatMap(i => (1 to i).map(j =&g ...

  7. chrome安装插件

    看了很多的解决办法,也试了很多种,有的有点用,有的只能用一次,最后成功了,在这里总结一下 一.首先下载 很多人下载的都ctx格式的,然后拖进去安装,用了一次就崩溃了,主要还是安装方式不对,一般需要将下 ...

  8. 解决TensorFlow在terminal中正常但在jupyter notebook中报错的方案

    报错情况: # 本地运行正常,jupyter中无法 import tensorflow ImportError: libcublas.so.10.0: cannot open shared objec ...

  9. xshell连接本地linux虚拟机速度很慢的解决办法

    今天发现用xshell连接centos太慢,网上查询后发现是因为ssh的服务端在连接时会自动检测dns环境是否一致导致的,修改为不检测即可. 修改文件位置:vi /etc/ssh/sshd_confi ...

  10. java字符串常用方法总结(更新中..)

    一.String类 1.字符串拼接 String str1 = "abcd"; String str2 = "efgh"; System.out.println ...