在CentOS7安装Nginx并部署Let's Encrypt免费SSL证书
注意:此版本是Nginx版,Apache版请移步<在CentOS7安装Apache并部署Let's Encrypt免费SSL证书>,可能遇到的问题可查阅《用Certbot部署Let's Encrypt遇到的常见问题》
写在前面
- 非root用户请在命令前面加上
sudo - 本文用例域名为
example.com,请自行根据实际情况更改域名并绑定A记录和对应的IP地址
一 安装certbot客户端
certbot是Let's Encrypt证书的客户端,官方提供了非常牛*的适用于各种操作系统及Web Server软件的安装命令,官网地址: https://certbot.eff.org/ 只要进入官网选择好你对应的软件和系统版本它会告诉你如何安装.
安装certbot之前我们依旧需要安装epel软件源
yum install epel-release
然后执行安装Nginx版certbot
yum install certbot-nginx
二 安装Nginx
不多废话
yum install nginx
启动服务
systemctl start nginx
修改主机配置文件并绑定域名,需要重点说明的是,如果你没有配置虚拟主机默认位置文件应该是
vi /etc/nginx/nginx.conf
如果你配置了虚拟主机,你的文件应该是(不知道如何配置虚拟主机的请爬文<Nginx如何配置虚拟主机?>)
vi /etc/nginx/sites-available/example.com.conf
找到server_name参数,修改为
server_name example.com www.example.com;
保存退出后测试配置文件语法正确与否
nginx -t
如果问题的话重启一下Nginx
systemctl reload nginx
Certbot程序会自动找到server参数配置,下一步设置防火墙放行规则
三 设置防火墙规则
如果你使用的是firewalld防火墙,使用以下命令
firewall-cmd --add-service=http firewall-cmd --add-service=https firewall-cmd --runtime-to-permanent
如果使用的是iptables防火墙则使用以下命令
iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
四 获取SSL证书
带有域名配置参数的命令
certbot --nginx -d example.com -d www.example.com
这里也可以直接使用不带任何参数的命令
certbot --nginx
后者程序也会有配置域名提示,此段不做过多解释,在apache版的Let's Encrypt证书安装一文中均有说明。
笔者以yourdomain.com为例,运行命令“certbot --nginx -d yourdomain.com -d www.yourdomain.com”,下面为运行结果
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for yourdomain.com http-01 challenge for www.yourdomain.com Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/yourdomain.com.conf Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/yourdomain.com.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 #注意这里,1 是不强制https访问,也就是http与https均可访问;2 是统一强制https访问 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/yourdomain.com.conf Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/yourdomain.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://yourdomain.com and https://www.yourdomain.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com https://www.ssllabs.com/ssltest/analyze.html?d=www.yourdomain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem Your cert will expire on 2019-09-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
五 配置Diffie-Hellman
此时你如果使用https://www.ssllabs.com/ssltest/测试你的服务器你至多会得到一个B,我们需要创建一个dhparam.pem文件,并在server{}配置区域中添加ssl_dhparam参数来提升成绩.
用openssl创建文件
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
修改配置文件 vi /etc/nginx/nginx.conf (默认)或者 vi /etc/nginx/sites-available/example.com.conf (虚拟主机)
在server{}中加入这行参数
ssl_dhparam /etc/ssl/certs/dhparam.pem;
测试语法
nginx -t
重启服务
systemctl reload nginx
六 设置证书自动续期
和Apache版一样,我们使用cron来执行定时命令
crontab -e
添加以下内容
15 3 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
15 3 * * * 参数的意思是每天早上3:15执行任务, renew 命令是certbot续期命令, --quiet 参数让certbot不做任何信息输出