certbot官网:https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

一、安装步骤

1)安装certbot,执行 

sudo yum install certbot python2-certbot-nginx

2)检查是否安装成功,执行 

certbot --help
[root@iz2zeb4argxs74khdclp2dz ~]#  certbot --help

Traceback (most recent call last):

  File "/usr/bin/certbot", line , in <module>

    load_entry_point('certbot==0.38.0', 'console_scripts', 'certbot')()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return get_distribution(dist).load_entry_point(group, name)

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return ep.load()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load

    return self.resolve()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in resolve

    module = __import__(self.module_name, fromlist=['__name__'], level=)

  File "/usr/lib/python2.7/site-packages/certbot/main.py", line , in <module>

    from certbot import account

  File "/usr/lib/python2.7/site-packages/certbot/account.py", line , in <module>

    from acme import messages

  File "/usr/lib/python2.7/site-packages/acme/messages.py", line , in <module>

    from acme import challenges

  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line , in <module>

    import requests

  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line , in <module>

    from . import utils

  File "/usr/lib/python2.7/site-packages/requests/utils.py", line , in <module>

    from .exceptions import InvalidURL

  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line , in <module>

    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError

  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line , in load_module

    raise ImportError("No module named '%s'" % (name,))

ImportError: No module named 'requests.packages.urllib3'

3)解决上面没有requests.packages.urllib3的问题,执行

pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

4)安装证书,执行

sudo certbot --nginx

如:

[root@iz2zeb4argxs74khdclp2dz ~]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

The nginx plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

上面提示信息显示没有找到nginx,那么

需要将nginx放到环境变量中,设置nginx软连接

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

ln -s /usr/local/nginx/conf/ /etc/nginx

再次执行就OK了
sudo certbot --nginx 安装证书
5)然后再一步一步的根据提示进行配置 
如:
[root@iz2zeb4argxs74khdclp2dz sbin]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): @qq.com   // 1)设置邮箱,用于安全提示

Starting new HTTPS connection (): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: a    // 2)同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: n    // 3)不共享你的邮箱

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: admin.talkilla.jiushiyaokuaile.cn

: consultant.talkilla.jiushiyaokuaile.cn

: student.talkilla.jiushiyaokuaile.cn

: teacher.talkilla.jiushiyaokuaile.cn

: wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):     5  // 4)选择需要激活https的域名

Obtaining a new certificate

Performing the following challenges:

http- challenge for admin.talkilla.jiushiyaokuaile.cn

http- challenge for consultant.talkilla.jiushiyaokuaile.cn

http- challenge for student.talkilla.jiushiyaokuaile.cn

http- challenge for teacher.talkilla.jiushiyaokuaile.cn

http- challenge for wechat.talkilla.jiushiyaokuaile.cn

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/admin-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/student-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: No redirect - Make no further changes to the webserver configuration.

: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [-] then [enter] (press 'c' to cancel): 2  // 5)设置是否将http自动重定向到https,1否2是

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/admin-talkilla-http.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/student-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled

https://admin.talkilla.jiushiyaokuaile.cn,

https://consultant.talkilla.jiushiyaokuaile.cn,

https://student.talkilla.jiushiyaokuaile.cn,

https://teacher.talkilla.jiushiyaokuaile.cn, and

https://wechat.talkilla.jiushiyaokuaile.cn

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=admin.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=consultant.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=student.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=teacher.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/privkey.pem

   Your cert will expire on --. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the "certonly" option. To non-interactively renew *all* of

   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

6) 配置自动更新证书

在证书到期之后更新证书,我们可以通过 certbot renew 命令来更新证书
借助 Crontab 来编写一个定时任务,定期强制更新一个这个证书,然后重启 Nginx: 

Crontab 通过 crontab -e 命令编辑,通过 crontab -l 查看。
这样就完成了 SSL 安全证书更新了。 
使用crontab -e 命令:
   * * certbot renew

   * * service nginx restart

注意:

若执行certbot renew时,出现: 'ascii' codec can't decode byte 0xe8 in position 2: ordinal not in range(128) 错误,参考如下:

解决方案

7)当需要安装新的证书

执行:

 sudo certbot run --nginx

【Nginx】使用certbot安装免费https证书使Nginx支持Https请求的更多相关文章

  1. nginx用Certbot配置免费SSL证书(ngx_http_ssl_module模块)

    一.准备工作 1.先安装nginx https://files.cnblogs.com/files/blogs/676936/nginx-1.18.0.sh #nginx-1.18.0版安装脚本2.在 ...

  2. 使用免费SSL证书让网站支持HTTPS访问

    参考掘金的文章,掘金的文章最详细. https://juejin.im/post/5a31cbf76fb9a0450b6664ee 先检查是否存在 EPEL 源: # 进入目录检查是否存在 EPEL ...

  3. handbook/CentOS/使用免费SSL证书让网站支持HTTPS访问.md

  4. 购买https证书以及nginx配置https

    文章来源 运维公会:购买https证书以及nginx配置https 1.https的作用 https的全名是安全超文本传输协议,是在http的基础上增加了ssl加密协议.在信息传输的过程中,信息有可能 ...

  5. 我的Android进阶之旅------>Android关于HttpsURLConnection一个忽略Https证书是否正确的Https请求工具类

    下面是一个Android HttpsURLConnection忽略Https证书是否正确的Https请求工具类,不需要验证服务器端证书是否正确,也不需要验证服务器证书中的域名是否有效. (PS:建议下 ...

  6. 创建免费的证书,实现网站HTTPS

    使用Certbot来实现HTTPS,这边也就考虑采用Cerbot来实现下 配置Certbot 证书 Certbot 的官方网站是 https://certbot.eff.org/ ,打开官网选择的 w ...

  7. 免费申请 HTTPS 证书,开启全站 HTTPS

    作者:HelloGitHub-追梦人物 文中涉及的示例代码,已同步更新到 HelloGitHub-Team 仓库 HTTP 报文以明文形式传输,如果你的网站只支持 HTTP 协议,那么就有可能遭受到安 ...

  8. 新版startssl 免费SSL证书申请 (实测 笔记 https http2 必要条件)

    简单说明: 目前多个大型网站都实现全站HTTPS,而SSL证书是实现HTTPS的必要条件之一. StartSSL是StartCom公司旗下的.提供免费SSL证书服务并且被主流浏览器支持的免费SSL.包 ...

  9. linux 系统自签免费ssl证书和nginx配置

    首先执行如下命令生成一个key openssl genrsa -des3 -out ssl.key 1024 然后他会要求你输入这个key文件的密码.不推荐输入.因为以后要给nginx使用.每次rel ...

随机推荐

  1. 在pat考试中快速调整Dev-cpp颜色配置

    在菜单栏中:tool(工具)->Edit Options(编辑器环境) 点击General选项卡: 把Color调为黑色. 点击Color选项卡: 讲Select theme设置为Obsidia ...

  2. PATA1077Kuchiguse

    需要注意的有关于二维字符串数组的输入问题,先是定义要多留一位用于存放'\0' 还有就是使用scanf后,会有回车换行符,如果要使用gets或是接下来的方式代替gets,记得加上getchar,不然会出 ...

  3. 浅谈Asp.Net中的几种传值方式

    一.使用Querystring Querystring是一种非常简单的传值方式,其缺点就是会把要传送的值显示在浏览器的地址栏中,并且在此方法中不能够传递对象.如果你想传递一个安全性不是那么太重要或者是 ...

  4. ibatis实现分页查询

    最近在做老项目改造,分享一个之前写的ibatis(这里特指ibatis2.x的版本)分页插件. 大致原理就是通过重写SqlExecutor的executeQuery方法,实现分页查询,支持mysql和 ...

  5. HSA AMD异构计算架构

    当前的CPU和GPU是分立设计的处理器,不能高效率地协同工作,编写同时运行于CPU和GPU的程序也是相当麻烦.由于CPU和GPU拥有独立的地址空间,应用程序不得不明确地控制数据在CPU和GPU之间的流 ...

  6. Orm 配置说明

    一.在线技术文档: http://files.cnblogs.com/files/humble/d.pdf   二.使用的大致流程   1.首先下载代码生成器,可以一键生成项目Model层;(其中含有 ...

  7. linux下ELK搭建好之后配置sentinl插件,进行邮件告警

    ELK的环境搭建好之后,如何利用收集到的数据进行数据告警呢?在破解ELK之后,它本身提供一个监视器功能,配置偏向编写脚本.有一个更加方便的插件sentiel. 一.下载并安装sentinl插件 htt ...

  8. JVM一些问题

    1. 类的实例化顺序,比如父类静态数据,构造函数,字段,子类静态数据,构造函数,字段,他们的执行顺序 答:先静态.先父后子. 先静态:父静态 > 子静态 优先级:父类 > 子类 静态代码块 ...

  9. 使用Fiddler抓包、wireshark抓包分析(三次握手、四次挥手深入理解)

    ==================Fiddler抓包================== Fiddler支持代理的功能,也就是说你所有的http请求都可以通过它来转发,Fiddler代理默认使用端口 ...

  10. 命令(Command)模式

    命令模式又称为行动(Action)模式或者交易(Transaction)模式. 命令模式把一个请求或者操作封装到一个对象中.命令模式允许系统使用不同的请求把客户端参数化,对请求排队或者记录请求日志,可 ...