【Nginx】使用certbot安装免费https证书使Nginx支持Https请求
certbot官网:https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
一、安装步骤
1)安装certbot,执行
sudo yum install certbot python2-certbot-nginx
2)检查是否安装成功,执行
certbot --help
[root@iz2zeb4argxs74khdclp2dz ~]# certbot --help
Traceback (most recent call last):
File "/usr/bin/certbot", line , in <module>
load_entry_point('certbot==0.38.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line , in <module>
from certbot import account
File "/usr/lib/python2.7/site-packages/certbot/account.py", line , in <module>
from acme import messages
File "/usr/lib/python2.7/site-packages/acme/messages.py", line , in <module>
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line , in <module>
import requests
File "/usr/lib/python2.7/site-packages/requests/__init__.py", line , in <module>
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line , in <module>
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line , in <module>
from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line , in load_module
raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'
3)解决上面没有requests.packages.urllib3的问题,执行
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3
4)安装证书,执行
sudo certbot --nginx
如:
[root@iz2zeb4argxs74khdclp2dz ~]# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)
上面提示信息显示没有找到nginx,那么
需要将nginx放到环境变量中,设置nginx软连接
ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
ln -s /usr/local/nginx/conf/ /etc/nginx
[root@iz2zeb4argxs74khdclp2dz sbin]# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): @qq.com // 1)设置邮箱,用于安全提示
Starting new HTTPS connection (): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a // 2)同意协议 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n // 3)不共享你的邮箱 Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
: admin.talkilla.jiushiyaokuaile.cn
: consultant.talkilla.jiushiyaokuaile.cn
: student.talkilla.jiushiyaokuaile.cn
: teacher.talkilla.jiushiyaokuaile.cn
: wechat.talkilla.jiushiyaokuaile.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 5 // 4)选择需要激活https的域名
Obtaining a new certificate
Performing the following challenges:
http- challenge for admin.talkilla.jiushiyaokuaile.cn
http- challenge for consultant.talkilla.jiushiyaokuaile.cn
http- challenge for student.talkilla.jiushiyaokuaile.cn
http- challenge for teacher.talkilla.jiushiyaokuaile.cn
http- challenge for wechat.talkilla.jiushiyaokuaile.cn
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/admin-talkilla.conf
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/consultant-talkilla.conf
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/student-talkilla.conf
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/teacher-talkilla.conf
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/wechat-talkilla.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
: No redirect - Make no further changes to the webserver configuration.
: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [-] then [enter] (press 'c' to cancel): 2 // 5)设置是否将http自动重定向到https,1否2是
Redirecting all traffic on port to ssl in /usr/local/nginx/conf/conf.d/admin-talkilla-http.conf
Redirecting all traffic on port to ssl in /usr/local/nginx/conf/conf.d/consultant-talkilla.conf
Redirecting all traffic on port to ssl in /usr/local/nginx/conf/conf.d/student-talkilla.conf
Redirecting all traffic on port to ssl in /usr/local/nginx/conf/conf.d/teacher-talkilla.conf
Redirecting all traffic on port to ssl in /usr/local/nginx/conf/conf.d/wechat-talkilla.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://admin.talkilla.jiushiyaokuaile.cn,
https://consultant.talkilla.jiushiyaokuaile.cn,
https://student.talkilla.jiushiyaokuaile.cn,
https://teacher.talkilla.jiushiyaokuaile.cn, and
https://wechat.talkilla.jiushiyaokuaile.cn You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=admin.talkilla.jiushiyaokuaile.cn
https://www.ssllabs.com/ssltest/analyze.html?d=consultant.talkilla.jiushiyaokuaile.cn
https://www.ssllabs.com/ssltest/analyze.html?d=student.talkilla.jiushiyaokuaile.cn
https://www.ssllabs.com/ssltest/analyze.html?d=teacher.talkilla.jiushiyaokuaile.cn
https://www.ssllabs.com/ssltest/analyze.html?d=wechat.talkilla.jiushiyaokuaile.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/privkey.pem
Your cert will expire on --. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
6) 配置自动更新证书
* * certbot renew
* * service nginx restart
注意:
若执行certbot renew时,出现: 'ascii' codec can't decode byte 0xe8 in position 2: ordinal not in range(128) 错误,参考如下:
7)当需要安装新的证书
执行:
sudo certbot run --nginx
【Nginx】使用certbot安装免费https证书使Nginx支持Https请求的更多相关文章
- nginx用Certbot配置免费SSL证书(ngx_http_ssl_module模块)
一.准备工作 1.先安装nginx https://files.cnblogs.com/files/blogs/676936/nginx-1.18.0.sh #nginx-1.18.0版安装脚本2.在 ...
- 使用免费SSL证书让网站支持HTTPS访问
参考掘金的文章,掘金的文章最详细. https://juejin.im/post/5a31cbf76fb9a0450b6664ee 先检查是否存在 EPEL 源: # 进入目录检查是否存在 EPEL ...
- handbook/CentOS/使用免费SSL证书让网站支持HTTPS访问.md
- 购买https证书以及nginx配置https
文章来源 运维公会:购买https证书以及nginx配置https 1.https的作用 https的全名是安全超文本传输协议,是在http的基础上增加了ssl加密协议.在信息传输的过程中,信息有可能 ...
- 我的Android进阶之旅------>Android关于HttpsURLConnection一个忽略Https证书是否正确的Https请求工具类
下面是一个Android HttpsURLConnection忽略Https证书是否正确的Https请求工具类,不需要验证服务器端证书是否正确,也不需要验证服务器证书中的域名是否有效. (PS:建议下 ...
- 创建免费的证书,实现网站HTTPS
使用Certbot来实现HTTPS,这边也就考虑采用Cerbot来实现下 配置Certbot 证书 Certbot 的官方网站是 https://certbot.eff.org/ ,打开官网选择的 w ...
- 免费申请 HTTPS 证书,开启全站 HTTPS
作者:HelloGitHub-追梦人物 文中涉及的示例代码,已同步更新到 HelloGitHub-Team 仓库 HTTP 报文以明文形式传输,如果你的网站只支持 HTTP 协议,那么就有可能遭受到安 ...
- 新版startssl 免费SSL证书申请 (实测 笔记 https http2 必要条件)
简单说明: 目前多个大型网站都实现全站HTTPS,而SSL证书是实现HTTPS的必要条件之一. StartSSL是StartCom公司旗下的.提供免费SSL证书服务并且被主流浏览器支持的免费SSL.包 ...
- linux 系统自签免费ssl证书和nginx配置
首先执行如下命令生成一个key openssl genrsa -des3 -out ssl.key 1024 然后他会要求你输入这个key文件的密码.不推荐输入.因为以后要给nginx使用.每次rel ...
随机推荐
- Qt常用类——QFrame类与QWidge类
QFrame与QWidget的区别: QFrame是基本控件的基类,QWidget是QFrame基类. QWidget类是所有用户界面对象的基类. Widget是用户界面的基本单元:它从窗口系统接收鼠 ...
- 如何确定假设检验的样本量(sample size)?
在<如何计算假设检验的功效(power)和效应量(effect size)?>一文中,我们讲述了如何根据显著性水平α,效应量和样本容量n,计算功效,以及如何根据显著性水平α,功效和样本容量 ...
- mac Sublime Text 快捷键
mac Sublime Text 快捷键 Tab: 光标后缩进 Shift+Tab: 反缩进 cmd+P: 打开文件切换面板 cmd+/: 行注释 cmd+R: 快速列出/跳转到某个函数 双击可选中光 ...
- js 压缩图片(只缩小体积,不更改图片尺寸)
1.情景展示 如上图所示,点击上传图片按钮,调用手机摄像头拍照功能. <input onchange="javascript:imgFun.uploadPicture();&quo ...
- 【Gamma】“北航社团帮”发布说明——小程序v3.0
目录 Gamma版本新功能 小程序v3.0新功能 新功能列表 新功能展示 这一版修复的缺陷 Gamma版本的已知问题和限制 小程序端 网页端 运行.安装与发布 运行环境的要求 安装与发布 小程序 网页 ...
- 饱了吗-web前端个人总结
一.引言 1.0 项目源代码整合 饱了吗前端web:传送门 饱了吗web和app后端:传送门 饱了吗app前端:传送门 饱了吗web展示:传送门 1.1 编写背景 web端开发人员较少,正好以前学习过 ...
- 洛谷P5017:摆渡车——题解
https://www.luogu.org/problem/P5017 参考:https://www.luogu.org/blog/ztyluogucpp/solution-p5017 我想我大概是废 ...
- Prometheus 基于文件的服务发现
Prometheus 基于文件的服务发现 官方文档:https://github.com/prometheus/prometheus/tree/master/discovery 服务发现支持: end ...
- SQL Server 新增自动执行任务
第一步右击SQL Server代理,新建作业 第二步选择常规,给你要执行的计划命名 第三步选择步骤,然后给步骤命名,选择类型,数据库,输入你要执行的语句. 第四步设置要执行的频率,根据业务需要,一般建 ...
- C#读写修改设置调整UVC摄像头画面-清晰度
有时,我们需要在C#代码中对摄像头的清晰度进行读和写,并立即生效.如何实现呢? 建立基于SharpCamera的项目 首先,请根据之前的一篇博文 点击这里 中的说明,建立基于SharpCamera的摄 ...