certbot官网:https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

一、安装步骤

1)安装certbot,执行 

sudo yum install certbot python2-certbot-nginx

2)检查是否安装成功,执行 

certbot --help
[root@iz2zeb4argxs74khdclp2dz ~]#  certbot --help

Traceback (most recent call last):

  File "/usr/bin/certbot", line , in <module>

    load_entry_point('certbot==0.38.0', 'console_scripts', 'certbot')()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return get_distribution(dist).load_entry_point(group, name)

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return ep.load()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load

    return self.resolve()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in resolve

    module = __import__(self.module_name, fromlist=['__name__'], level=)

  File "/usr/lib/python2.7/site-packages/certbot/main.py", line , in <module>

    from certbot import account

  File "/usr/lib/python2.7/site-packages/certbot/account.py", line , in <module>

    from acme import messages

  File "/usr/lib/python2.7/site-packages/acme/messages.py", line , in <module>

    from acme import challenges

  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line , in <module>

    import requests

  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line , in <module>

    from . import utils

  File "/usr/lib/python2.7/site-packages/requests/utils.py", line , in <module>

    from .exceptions import InvalidURL

  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line , in <module>

    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError

  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line , in load_module

    raise ImportError("No module named '%s'" % (name,))

ImportError: No module named 'requests.packages.urllib3'

3)解决上面没有requests.packages.urllib3的问题,执行

pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

4)安装证书,执行

sudo certbot --nginx

如:

[root@iz2zeb4argxs74khdclp2dz ~]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

The nginx plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

上面提示信息显示没有找到nginx,那么

需要将nginx放到环境变量中,设置nginx软连接

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

ln -s /usr/local/nginx/conf/ /etc/nginx

再次执行就OK了
sudo certbot --nginx 安装证书
5)然后再一步一步的根据提示进行配置 
如:
[root@iz2zeb4argxs74khdclp2dz sbin]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): @qq.com   // 1)设置邮箱,用于安全提示

Starting new HTTPS connection (): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: a    // 2)同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: n    // 3)不共享你的邮箱

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: admin.talkilla.jiushiyaokuaile.cn

: consultant.talkilla.jiushiyaokuaile.cn

: student.talkilla.jiushiyaokuaile.cn

: teacher.talkilla.jiushiyaokuaile.cn

: wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):     5  // 4)选择需要激活https的域名

Obtaining a new certificate

Performing the following challenges:

http- challenge for admin.talkilla.jiushiyaokuaile.cn

http- challenge for consultant.talkilla.jiushiyaokuaile.cn

http- challenge for student.talkilla.jiushiyaokuaile.cn

http- challenge for teacher.talkilla.jiushiyaokuaile.cn

http- challenge for wechat.talkilla.jiushiyaokuaile.cn

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/admin-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/student-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: No redirect - Make no further changes to the webserver configuration.

: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [-] then [enter] (press 'c' to cancel): 2  // 5)设置是否将http自动重定向到https,1否2是

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/admin-talkilla-http.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/student-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled

https://admin.talkilla.jiushiyaokuaile.cn,

https://consultant.talkilla.jiushiyaokuaile.cn,

https://student.talkilla.jiushiyaokuaile.cn,

https://teacher.talkilla.jiushiyaokuaile.cn, and

https://wechat.talkilla.jiushiyaokuaile.cn

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=admin.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=consultant.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=student.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=teacher.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/privkey.pem

   Your cert will expire on --. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the "certonly" option. To non-interactively renew *all* of

   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

6) 配置自动更新证书

在证书到期之后更新证书,我们可以通过 certbot renew 命令来更新证书
借助 Crontab 来编写一个定时任务,定期强制更新一个这个证书,然后重启 Nginx: 

Crontab 通过 crontab -e 命令编辑,通过 crontab -l 查看。
这样就完成了 SSL 安全证书更新了。 
使用crontab -e 命令:
   * * certbot renew

   * * service nginx restart

注意:

若执行certbot renew时,出现: 'ascii' codec can't decode byte 0xe8 in position 2: ordinal not in range(128) 错误,参考如下:

解决方案

7)当需要安装新的证书

执行:

 sudo certbot run --nginx

【Nginx】使用certbot安装免费https证书使Nginx支持Https请求的更多相关文章

  1. nginx用Certbot配置免费SSL证书(ngx_http_ssl_module模块)

    一.准备工作 1.先安装nginx https://files.cnblogs.com/files/blogs/676936/nginx-1.18.0.sh #nginx-1.18.0版安装脚本2.在 ...

  2. 使用免费SSL证书让网站支持HTTPS访问

    参考掘金的文章,掘金的文章最详细. https://juejin.im/post/5a31cbf76fb9a0450b6664ee 先检查是否存在 EPEL 源: # 进入目录检查是否存在 EPEL ...

  3. handbook/CentOS/使用免费SSL证书让网站支持HTTPS访问.md

  4. 购买https证书以及nginx配置https

    文章来源 运维公会:购买https证书以及nginx配置https 1.https的作用 https的全名是安全超文本传输协议,是在http的基础上增加了ssl加密协议.在信息传输的过程中,信息有可能 ...

  5. 我的Android进阶之旅------>Android关于HttpsURLConnection一个忽略Https证书是否正确的Https请求工具类

    下面是一个Android HttpsURLConnection忽略Https证书是否正确的Https请求工具类,不需要验证服务器端证书是否正确,也不需要验证服务器证书中的域名是否有效. (PS:建议下 ...

  6. 创建免费的证书,实现网站HTTPS

    使用Certbot来实现HTTPS,这边也就考虑采用Cerbot来实现下 配置Certbot 证书 Certbot 的官方网站是 https://certbot.eff.org/ ,打开官网选择的 w ...

  7. 免费申请 HTTPS 证书,开启全站 HTTPS

    作者:HelloGitHub-追梦人物 文中涉及的示例代码,已同步更新到 HelloGitHub-Team 仓库 HTTP 报文以明文形式传输,如果你的网站只支持 HTTP 协议,那么就有可能遭受到安 ...

  8. 新版startssl 免费SSL证书申请 (实测 笔记 https http2 必要条件)

    简单说明: 目前多个大型网站都实现全站HTTPS,而SSL证书是实现HTTPS的必要条件之一. StartSSL是StartCom公司旗下的.提供免费SSL证书服务并且被主流浏览器支持的免费SSL.包 ...

  9. linux 系统自签免费ssl证书和nginx配置

    首先执行如下命令生成一个key openssl genrsa -des3 -out ssl.key 1024 然后他会要求你输入这个key文件的密码.不推荐输入.因为以后要给nginx使用.每次rel ...

随机推荐

  1. 深入解析ES6中的promise

    作者 | Jeskson来源 | 达达前端小酒馆 什么是Promise Promise对象是用于表示一个异步操作的最终状态(完成或失败)以及其返回的值. 什么是同步,异步 同步任务会阻塞程序的执行,如 ...

  2. struct utmp

    utmp结构体定义如下: structutmp { short int ut_type; // 登录类型 pid_t ut_pid; // login进程的pid char ut_line[UT_LI ...

  3. python3 ini文件读写

    import configparser config = configparser.ConfigParser() file = 'config.ini' config.read(file) confi ...

  4. Windows_pycharm下安装numpy

    https://blog.csdn.net/haishu_zheng/article/details/77489309 一.下载在网站https://pypi.python.org/pypi/nump ...

  5. mapreduce 函数入门 二

    m apreduce三大组件:Combiner\Sort\Partitioner 默认组件:排序,分区(不设置,系统有默认值) 一.mapreduce中的Combiner 1.什么是combiner ...

  6. 用ADB 抓取和存储APP日志方法

    前置条件:电脑已经安装好adb (一)  进入adb目录下连接手机,检测出手机 CD 到SDK的platform-tools (二)adb logcat-c  清除日志  (三)adb  logcat ...

  7. 【Appium + Python3】之安卓8.1,使用xpath定位不到元素

    desired_cap = { "deviceName":"vivo", # 真机名称 "platformName":"andro ...

  8. 金九银十跳槽高峰,面试必备之 Redis + MongoDB 常问80道面试题

    前言 有着“金九银十”之称的招聘旺季已经开启,跳槽高峰期也如约而至. 本文为主要是 Redis + MongoDB 知识点的攻略,希望能帮助到大家. 内容较多,大家准备好耐心和瓜子矿泉水. Redis ...

  9. java面向对象的基本概念

    面向对象的基本概念 这里先介绍面向对象程序设计的一些关键概念,并开始使用类,你需要学习一些术语,我们尽量用比较浅显的语言来介绍,因为这些内容都比较重要,所以希望大家好好好理解. 一.什么是对象和面向对 ...

  10. c# 基本类型存储方式的研究

    基本单位 二进制,当前的计算机系统使用的基本上是二进制系统.二进制的单位是位,每一位可以表示2个数: 0或1.byte(字节) 有8位,可以表示的数为2的8次方,即256个数,范围为[0-255]. ...