在CentOS7安装Nginx并部署Let's Encrypt免费SSL证书

注意:此版本是Nginx版,Apache版请移步<>,可能遇到的问题可查阅《用Certbot部署Let's Encrypt遇到的常见问题

在CentOS7安装Nginx并部署Let&#039;s Encrypt免费SSL证书

写在前面

  • 非root用户请在命令前面加上 sudo
  • 本文用例域名为 example.com,请自行根据实际情况更改域名并绑定A记录和对应的IP地址

一 安装certbot客户端

certbot是Let's Encrypt证书的客户端,官方提供了非常牛*的适用于各种操作系统及Web Server软件的安装命令,官网地址: https://certbot.eff.org/ 只要进入官网选择好你对应的软件和系统版本它会告诉你如何安装.

安装certbot之前我们依旧需要安装epel软件源

yum install epel-release

然后执行安装Nginx版certbot

yum install certbot-nginx

二 安装Nginx

不多废话

yum install nginx

启动服务

systemctl start nginx

修改主机配置文件并绑定域名,需要重点说明的是,如果你没有配置虚拟主机默认位置文件应该是

vi /etc/nginx/nginx.conf

如果你配置了虚拟主机,你的文件应该是(不知道如何配置虚拟主机的请爬文<>)

vi /etc/nginx/sites-available/example.com.conf

找到server_name参数,修改为

server_name example.com www.example.com;

保存退出后测试配置文件语法正确与否

nginx -t

如果问题的话重启一下Nginx

systemctl reload nginx

Certbot程序会自动找到server参数配置,下一步设置防火墙放行规则

三 设置防火墙规则

如果你使用的是firewalld防火墙,使用以下命令

firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --runtime-to-permanent

如果使用的是iptables防火墙则使用以下命令

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

四 获取SSL证书

带有域名配置参数的命令

certbot --nginx -d example.com -d www.example.com

这里也可以直接使用不带任何参数的命令

certbot --nginx

后者程序也会有配置域名提示,此段不做过多解释,在apache版的Let's Encrypt证书安装一文中均有说明。

笔者以yourdomain.com为例,运行命令“certbot --nginx -d yourdomain.com -d www.yourdomain.com”,下面为运行结果

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yourdomain.com
http-01 challenge for www.yourdomain.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/yourdomain.com.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/yourdomain.com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2    #注意这里,1 是不强制https访问,也就是http与https均可访问;2 是统一强制https访问
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/yourdomain.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/yourdomain.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://yourdomain.com and
https://www.yourdomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.com/privkey.pem
   Your cert will expire on 2019-09-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

五 配置Diffie-Hellman

此时你如果使用https://www.ssllabs.com/ssltest/测试你的服务器你至多会得到一个B,我们需要创建一个dhparam.pem文件,并在server{}配置区域中添加ssl_dhparam参数来提升成绩.

openssl创建文件

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

修改配置文件 vi /etc/nginx/nginx.conf (默认)或者 vi /etc/nginx/sites-available/example.com.conf (虚拟主机)

server{}中加入这行参数

ssl_dhparam /etc/ssl/certs/dhparam.pem;

测试语法

nginx -t

重启服务

systemctl reload nginx

六 设置证书自动续期

Apache版一样,我们使用cron来执行定时命令

crontab -e

添加以下内容

15 3 * * * /usr/bin/certbot renew --quiet

15 3 * * * 参数的意思是每天早上3:15执行任务, renew 命令是certbot续期命令, --quiet 参数让certbot不做任何信息输出

Read Comments

  • 叶清浅9 months ago0

    您好,我想要在ZeroNet上写的一篇教程中引用您的这篇博客并标明引用出处,请问是否允许

Post Comment