certbot官网:https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

一、安装步骤

1)安装certbot,执行 

sudo yum install certbot python2-certbot-nginx

2)检查是否安装成功,执行 

certbot --help
[root@iz2zeb4argxs74khdclp2dz ~]#  certbot --help

Traceback (most recent call last):

  File "/usr/bin/certbot", line , in <module>

    load_entry_point('certbot==0.38.0', 'console_scripts', 'certbot')()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return get_distribution(dist).load_entry_point(group, name)

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return ep.load()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load

    return self.resolve()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in resolve

    module = __import__(self.module_name, fromlist=['__name__'], level=)

  File "/usr/lib/python2.7/site-packages/certbot/main.py", line , in <module>

    from certbot import account

  File "/usr/lib/python2.7/site-packages/certbot/account.py", line , in <module>

    from acme import messages

  File "/usr/lib/python2.7/site-packages/acme/messages.py", line , in <module>

    from acme import challenges

  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line , in <module>

    import requests

  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line , in <module>

    from . import utils

  File "/usr/lib/python2.7/site-packages/requests/utils.py", line , in <module>

    from .exceptions import InvalidURL

  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line , in <module>

    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError

  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line , in load_module

    raise ImportError("No module named '%s'" % (name,))

ImportError: No module named 'requests.packages.urllib3'

3)解决上面没有requests.packages.urllib3的问题,执行

pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

4)安装证书,执行

sudo certbot --nginx

如:

[root@iz2zeb4argxs74khdclp2dz ~]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

The nginx plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

上面提示信息显示没有找到nginx,那么

需要将nginx放到环境变量中,设置nginx软连接

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

ln -s /usr/local/nginx/conf/ /etc/nginx

再次执行就OK了
sudo certbot --nginx 安装证书
5)然后再一步一步的根据提示进行配置 
如:
[root@iz2zeb4argxs74khdclp2dz sbin]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): @qq.com   // 1)设置邮箱,用于安全提示

Starting new HTTPS connection (): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: a    // 2)同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: n    // 3)不共享你的邮箱

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: admin.talkilla.jiushiyaokuaile.cn

: consultant.talkilla.jiushiyaokuaile.cn

: student.talkilla.jiushiyaokuaile.cn

: teacher.talkilla.jiushiyaokuaile.cn

: wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):     5  // 4)选择需要激活https的域名

Obtaining a new certificate

Performing the following challenges:

http- challenge for admin.talkilla.jiushiyaokuaile.cn

http- challenge for consultant.talkilla.jiushiyaokuaile.cn

http- challenge for student.talkilla.jiushiyaokuaile.cn

http- challenge for teacher.talkilla.jiushiyaokuaile.cn

http- challenge for wechat.talkilla.jiushiyaokuaile.cn

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/admin-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/student-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: No redirect - Make no further changes to the webserver configuration.

: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [-] then [enter] (press 'c' to cancel): 2  // 5)设置是否将http自动重定向到https,1否2是

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/admin-talkilla-http.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/student-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled

https://admin.talkilla.jiushiyaokuaile.cn,

https://consultant.talkilla.jiushiyaokuaile.cn,

https://student.talkilla.jiushiyaokuaile.cn,

https://teacher.talkilla.jiushiyaokuaile.cn, and

https://wechat.talkilla.jiushiyaokuaile.cn

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=admin.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=consultant.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=student.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=teacher.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/privkey.pem

   Your cert will expire on --. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the "certonly" option. To non-interactively renew *all* of

   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

6) 配置自动更新证书

在证书到期之后更新证书,我们可以通过 certbot renew 命令来更新证书
借助 Crontab 来编写一个定时任务,定期强制更新一个这个证书,然后重启 Nginx: 

Crontab 通过 crontab -e 命令编辑,通过 crontab -l 查看。
这样就完成了 SSL 安全证书更新了。 
使用crontab -e 命令:
   * * certbot renew

   * * service nginx restart

注意:

若执行certbot renew时,出现: 'ascii' codec can't decode byte 0xe8 in position 2: ordinal not in range(128) 错误,参考如下:

解决方案

7)当需要安装新的证书

执行:

 sudo certbot run --nginx

【Nginx】使用certbot安装免费https证书使Nginx支持Https请求的更多相关文章

  1. nginx用Certbot配置免费SSL证书(ngx_http_ssl_module模块)

    一.准备工作 1.先安装nginx https://files.cnblogs.com/files/blogs/676936/nginx-1.18.0.sh #nginx-1.18.0版安装脚本2.在 ...

  2. 使用免费SSL证书让网站支持HTTPS访问

    参考掘金的文章,掘金的文章最详细. https://juejin.im/post/5a31cbf76fb9a0450b6664ee 先检查是否存在 EPEL 源: # 进入目录检查是否存在 EPEL ...

  3. handbook/CentOS/使用免费SSL证书让网站支持HTTPS访问.md

  4. 购买https证书以及nginx配置https

    文章来源 运维公会:购买https证书以及nginx配置https 1.https的作用 https的全名是安全超文本传输协议,是在http的基础上增加了ssl加密协议.在信息传输的过程中,信息有可能 ...

  5. 我的Android进阶之旅------>Android关于HttpsURLConnection一个忽略Https证书是否正确的Https请求工具类

    下面是一个Android HttpsURLConnection忽略Https证书是否正确的Https请求工具类,不需要验证服务器端证书是否正确,也不需要验证服务器证书中的域名是否有效. (PS:建议下 ...

  6. 创建免费的证书,实现网站HTTPS

    使用Certbot来实现HTTPS,这边也就考虑采用Cerbot来实现下 配置Certbot 证书 Certbot 的官方网站是 https://certbot.eff.org/ ,打开官网选择的 w ...

  7. 免费申请 HTTPS 证书,开启全站 HTTPS

    作者:HelloGitHub-追梦人物 文中涉及的示例代码,已同步更新到 HelloGitHub-Team 仓库 HTTP 报文以明文形式传输,如果你的网站只支持 HTTP 协议,那么就有可能遭受到安 ...

  8. 新版startssl 免费SSL证书申请 (实测 笔记 https http2 必要条件)

    简单说明: 目前多个大型网站都实现全站HTTPS,而SSL证书是实现HTTPS的必要条件之一. StartSSL是StartCom公司旗下的.提供免费SSL证书服务并且被主流浏览器支持的免费SSL.包 ...

  9. linux 系统自签免费ssl证书和nginx配置

    首先执行如下命令生成一个key openssl genrsa -des3 -out ssl.key 1024 然后他会要求你输入这个key文件的密码.不推荐输入.因为以后要给nginx使用.每次rel ...

随机推荐

  1. Python、Spyder的环境搭建

    有什么不对欢迎大家指出,一起交流啊,只针对Windows!!!!(苹果买不起...)Python安装的话2.7版本和3.6版本都可以,虽然2.7比较全面,但还是建议安装3.6,这里以3.6为例进行介绍 ...

  2. 设计模式主目录 C++实现

    行为性模式 1.观察者模式 结构型模式    ----  组合的艺术 1.外观模式

  3. Spring Boot 2.2.2 发布,新增 2 个新特性!

    Spring Boot 2.2.2 发布咯! Spring Boot 2.2.1 发布,一个有点坑的版本! 2.2.1 发布没过一个月,2.2.2 就来了. Maven依赖给大家奉上: <dep ...

  4. 对称加密与非对称加密,及Hash算法

    一 , 概述 在现代密码学诞生以前,就已经有很多的加密方法了.例如,最古老的斯巴达加密棒,广泛应用于公元前7世纪的古希腊.16世纪意大利数学家卡尔达诺发明的栅格密码,基于单表代换的凯撒密码.猪圈密码, ...

  5. 【技术博客】Laravel5.1文件上传单元测试

    Laravel5.1文件上传单元测试 作者:ZGJ 在软工第三阶段中,我彻底解决了上一阶段一直困扰我的文件上传单元测试问题,在这里做一个总结. 注:下文介绍中,方法一方法二实现简单但有一定的限制条件( ...

  6. Kubeadm部署安装kubernetes1.12.1

    1.环境准备(这里是master) CentOS 7.6 两台配置如下,自己更改主机名,加入hosts, master和node 名字不能一样 # hostname master # hostname ...

  7. Android开发遇到的一些小问题

    1.文件下载时,默认只能用https,怎么用http协议: 在Manifest.xml文件中增加一个配置项: android:usesCleartextTraffic="true" ...

  8. [转帖]IPC网络高清摄像机基础知识1(IPC芯片市场分析以及“搅局者”华为海思 “来自2013年”)

    IPC网络高清摄像机基础知识1(IPC芯片市场分析以及“搅局者”华为海思 “来自2013年”) 2016-06-02 14:23:49 Times_poem 阅读数 9734更多 分类专栏: IPC网 ...

  9. Lua table concat

    [1]table concat 简介 使用方式: table.concat(table, sep, start, end) 作用简介: concat是concatenate(连锁.连接)的缩写. ta ...

  10. mybatis-plus-generator 模板生成代码

    maven: <dependencies> <dependency> <groupId>com.baomidou</groupId> <artif ...