CentOS7 下 Let's Encrypt Nginx 配置 SSL 证书
前面介绍免费的 SSL 证书时说道无脑推荐 Let's Encrypt,那么就来一篇如何安装 Let's Encrypt 以及和 Nginx 配置。
Let's Encrypt 是国外一个公共的免费 SSL 项目,由 Linux 基金会托管,它的来头不小,由 Mozilla、思科、Akamai、IdenTrust 和 EFF 等组织发起,目的就是向网站自动签发和管理免费证书,以便加速互联网由 HTTP 过渡到 HTTPS。证书有效期为 90 天, 到期前 30 内可续期,实现永久免费。
环境说明
- CentOS7
- Nginx 1.10.2
- Certbot
安装 Certbot
官网地址:
Certbot 是 Let's Encrypt 官方推荐的配置工具,貌似之前叫 letsencrypt。在 CentOS 下安装 Certbot 需要启用 epel。
[root@ebs-29770 ~]# yum install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================
Installing:
epel-release noarch 7-6 extras 14 k
Transaction Summary
============================================================================================================================================================================================================
Install 1 Package
Total download size: 14 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-6.noarch.rpm | 14 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-6.noarch 1/1
Verifying : epel-release-7-6.noarch 1/1
Installed:
epel-release.noarch 0:7-6
Complete!
[root@ebs-29770 ~]#
清理缓存然后重新生产缓存
[root@ebs-29770 ~]# yum clean all
Loaded plugins: fastestmirror
Cleaning repos: base epel extras nginx updates
Cleaning up everything
Cleaning up list of fastest mirrors
[root@ebs-29770 ~]# yum makecache
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
epel/x86_64/metalink | 5.4 kB 00:00:00
epel | 4.3 kB 00:00:00
extras | 3.4 kB 00:00:00
nginx | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/20): base/7/x86_64/group_gz | 155 kB 00:00:00
(2/20): base/7/x86_64/filelists_db | 6.2 MB 00:00:02
(3/20): base/7/x86_64/primary_db | 5.3 MB 00:00:01
#-----省略------ | 5.3 MB 00:00:01
(19/20): updates/7/x86_64/primary_db | 9.1 MB 00:00:02
(20/20): updates/7/x86_64/other_db | 79 MB 00:00:17
Determining fastest mirrors
* base: centos.ustc.edu.cn
* epel: mirrors.tuna.tsinghua.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
Metadata Cache Created
[root@ebs-29770 ~]#
现在就可以开始安装 Certbot 了。
[root@ebs-29770 ~]# yum install certbot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* epel: mirrors.tuna.tsinghua.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package certbot.noarch 0:0.9.3-1.el7 will be installed
--> Processing Dependency: python2-certbot = 0.9.3-1.el7 for package: certbot-0.9.3-1.el7.noarch
--> Running transaction check
---> Package python2-certbot.noarch 0:0.9.3-1.el7 will be installed
--> Processing Dependency: python2-acme = 0.9.3 for package: python2-certbot-0.9.3-1.el7.noarch
--> Processing Dependency: python2-dialog >= 3.3.0 for package: python2-certbot-0.9.3-1.el7.noarch
--> Processing Dependency: python2-configargparse >= 0.10.0 for package: python2-certbot-0.9.3-1.el7.noarch
--> Processing Dependency: python-psutil >= 2.1.0 for package: python2-certbot-0.9.3-1.el7.noarch
--> Processing Dependency: python-zope-interface for package: python2-certbot-0.9.3-1.el7.noarch
--> Processing Dependency: python-zope-component for package: python2-certbot-0.9.3-1.el7.noarch
--> Processing Dependency: python-parsedatetime for package: python2-certbot-0.9.3-1.el7.noarch
--> Processing Dependency: python-mock for package: python2-certbot-0.9.3-1.el7.noarch
--> Running transaction check
---> Package python-parsedatetime.noarch 0:1.5-3.el7 will be installed
---> Package python-psutil.x86_64 0:2.2.1-1.el7 will be installed
---> Package python-zope-component.noarch 1:4.1.0-1.el7 will be installed
--> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-1.el7.noarch
---> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be installed
---> Package python2-acme.noarch 0:0.9.3-1.el7 will be installed
--> Processing Dependency: pyOpenSSL >= 0.13 for package: python2-acme-0.9.3-1.el7.noarch
--> Processing Dependency: pytz for package: python2-acme-0.9.3-1.el7.noarch
--> Processing Dependency: python-six for package: python2-acme-0.9.3-1.el7.noarch
--> Processing Dependency: python-requests for package: python2-acme-0.9.3-1.el7.noarch
--> Processing Dependency: python-pyrfc3339 for package: python2-acme-0.9.3-1.el7.noarch
--> Processing Dependency: python-pyasn1 for package: python2-acme-0.9.3-1.el7.noarch
--> Processing Dependency: python-ndg_httpsclient for package: python2-acme-0.9.3-1.el7.noarch
--> Processing Dependency: python-cryptography for package: python2-acme-0.9.3-1.el7.noarch
---> Package python2-configargparse.noarch 0:0.10.0-1.el7 will be installed
---> Package python2-dialog.noarch 0:3.3.0-6.el7 will be installed
--> Processing Dependency: dialog for package: python2-dialog-3.3.0-6.el7.noarch
---> Package python2-mock.noarch 0:1.0.1-9.el7 will be installed
--> Running transaction check
---> Package dialog.x86_64 0:1.2-4.20130523.el7 will be installed
---> Package pyOpenSSL.x86_64 0:0.13.1-3.el7 will be installed
---> Package python-cryptography.x86_64 0:0.8.2-1.el7 will be installed
--> Processing Dependency: python-cffi >= 0.8 for package: python-cryptography-0.8.2-1.el7.x86_64
--> Processing Dependency: python-enum34 for package: python-cryptography-0.8.2-1.el7.x86_64
---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed
---> Package python-pyasn1.noarch 0:0.1.6-2.el7 will be installed
---> Package python-requests.noarch 0:2.6.0-1.el7_1 will be installed
--> Processing Dependency: python-urllib3 >= 1.10.2-1 for package: python-requests-2.6.0-1.el7_1.noarch
--> Processing Dependency: python-chardet >= 2.2.1-1 for package: python-requests-2.6.0-1.el7_1.noarch
---> Package python-six.noarch 0:1.9.0-2.el7 will be installed
---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
---> Package python2-pyrfc3339.noarch 0:1.0-2.el7 will be installed
---> Package pytz.noarch 0:2012d-5.el7 will be installed
--> Running transaction check
---> Package python-cffi.x86_64 0:0.8.6-2.el7 will be installed
--> Processing Dependency: python-pycparser for package: python-cffi-0.8.6-2.el7.x86_64
---> Package python-chardet.noarch 0:2.2.1-1.el7_1 will be installed
---> Package python-enum34.noarch 0:1.0.4-1.el7 will be installed
---> Package python-urllib3.noarch 0:1.10.2-2.el7_1 will be installed
--> Running transaction check
---> Package python-pycparser.noarch 0:2.14-1.el7 will be installed
--> Processing Dependency: python-ply for package: python-pycparser-2.14-1.el7.noarch
--> Running transaction check
---> Package python-ply.noarch 0:3.4-10.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================
Installing:
certbot noarch 0.9.3-1.el7 epel 16 k
Installing for dependencies:
dialog x86_64 1.2-4.20130523.el7 base 208 k
pyOpenSSL x86_64 0.13.1-3.el7 base 133 k
python-cffi x86_64 0.8.6-2.el7 base 131 k
python-chardet noarch 2.2.1-1.el7_1 base 227 k
python-cryptography x86_64 0.8.2-1.el7 base 435 k
python-enum34 noarch 1.0.4-1.el7 base 52 k
python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k
python-parsedatetime noarch 1.5-3.el7 epel 61 k
python-ply noarch 3.4-10.el7 base 123 k
python-psutil x86_64 2.2.1-1.el7 epel 114 k
python-pyasn1 noarch 0.1.6-2.el7 base 91 k
python-pycparser noarch 2.14-1.el7 base 104 k
python-requests noarch 2.6.0-1.el7_1 base 94 k
python-six noarch 1.9.0-2.el7 base 29 k
python-urllib3 noarch 1.10.2-2.el7_1 base 100 k
python-zope-component noarch 1:4.1.0-1.el7 epel 110 k
python-zope-event noarch 4.0.3-2.el7 epel 79 k
python-zope-interface x86_64 4.0.5-4.el7 base 138 k
python2-acme noarch 0.9.3-1.el7 epel 168 k
python2-certbot noarch 0.9.3-1.el7 epel 361 k
python2-configargparse noarch 0.10.0-1.el7 epel 28 k
python2-dialog noarch 3.3.0-6.el7 epel 94 k
python2-mock noarch 1.0.1-9.el7 epel 92 k
python2-pyrfc3339 noarch 1.0-2.el7 epel 13 k
pytz noarch 2012d-5.el7 base 38 k
Transaction Summary
============================================================================================================================================================================================================
Install 1 Package (+25 Dependent packages)
Total download size: 3.0 M
Installed size: 15 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/certbot-0.9.3-1.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY ] 0.0 B/s | 0 B --:--:-- ETA
Public key for certbot-0.9.3-1.el7.noarch.rpm is not installed
(1/26): certbot-0.9.3-1.el7.noarch.rpm | 16 kB 00:00:00
(2/26): pyOpenSSL-0.13.1-3.el7.x86_64.rpm | 133 kB 00:00:00
(3/26): dialog-1.2-4.20130523.el7.x86_64.rpm | 208 kB 00:00:01
(4/26): python-cffi-0.8.6-2.el7.x86_64.rpm | 131 kB 00:00:00
............................
(24/26): pytz-2012d-5.el7.noarch.rpm | 38 kB 00:00:00
(25/26): python2-configargparse-0.10.0-1.el7.noarch.rpm | 28 kB 00:00:01
(26/26): python2-mock-1.0.1-9.el7.noarch.rpm | 92 kB 00:00:02
............................
Total 357 kB/s | 3.0 MB 00:00:08
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-6.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python-pyasn1-0.1.6-2.el7.noarch 1/26
Installing : python-six-1.9.0-2.el7.noarch 2/26
Installing : python-zope-interface-4.0.5-4.el7.x86_64 3/26
Installing : pyOpenSSL-0.13.1-3.el7.x86_64 4/26
Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch 5/26
Installing : python-urllib3-1.10.2-2.el7_1.noarch 6/26
Installing : pytz-2012d-5.el7.noarch 7/26
Installing : python-parsedatetime-1.5-3.el7.noarch 8/26
.........
Verifying : python-urllib3-1.10.2-2.el7_1.noarch 24/26
Verifying : python-parsedatetime-1.5-3.el7.noarch 25/26
Verifying : pytz-2012d-5.el7.noarch 26/26
Installed:
certbot.noarch 0:0.9.3-1.el7
Dependency Installed:
dialog.x86_64 0:1.2-4.20130523.el7 pyOpenSSL.x86_64 0:0.13.1-3.el7 python-cffi.x86_64 0:0.8.6-2.el7 python-chardet.noarch 0:2.2.1-1.el7_1
python-cryptography.x86_64 0:0.8.2-1.el7 python-enum34.noarch 0:1.0.4-1.el7 python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python-parsedatetime.noarch 0:1.5-3.el7
python-ply.noarch 0:3.4-10.el7 python-psutil.x86_64 0:2.2.1-1.el7 python-pyasn1.noarch 0:0.1.6-2.el7 python-pycparser.noarch 0:2.14-1.el7
python-requests.noarch 0:2.6.0-1.el7_1 python-six.noarch 0:1.9.0-2.el7 python-urllib3.noarch 0:1.10.2-2.el7_1 python-zope-component.noarch 1:4.1.0-1.el7
python-zope-event.noarch 0:4.0.3-2.el7 python-zope-interface.x86_64 0:4.0.5-4.el7 python2-acme.noarch 0:0.9.3-1.el7 python2-certbot.noarch 0:0.9.3-1.el7
python2-configargparse.noarch 0:0.10.0-1.el7 python2-dialog.noarch 0:3.3.0-6.el7 python2-mock.noarch 0:1.0.1-9.el7 python2-pyrfc3339.noarch 0:1.0-2.el7
pytz.noarch 0:2012d-5.el7
Complete!
[root@ebs-29770 ~]#
获取 SSL 证书
申请过程中要验证绑定的域名是否属于申请人,其原理就是申请人在域名所在的服务器上申请证书,然后 Let’ s Encrypt 会访问绑定的域名与客户端通信成功即可通过。
这个验证的方法有两种
standalone模式:需要停止当前的 web server 服务,让出 80 端口,由客户端内置的 web server 启动与Let’ s Encrypt通信。Webroot模式:不需要停止当前 web server,但需要在域名根目录下创建一个临时目录,并要保证外网通过域名可以访问这个目录。
很显然使用 Webroot 模式,Certbot 在验证服务器域名的时候,会生成一个随机文件,然后 Certbot 的服务器会通过 HTTP 访问你的这个文件,因此要确保你的 Nginx 配置好,以便可以访问到这个文件。
修改你的服务器配置,在 server 模块添加:
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/nginx/html;
}
location = /.well-known/acme-challenge/ {
return 404;
}
接着重新加载 Nginx 配置:systemctl reload nginx
获取 Let's Encrypt 颁发的证书:
certbot certonly --webroot --email and.mz.yq@gmail.com -w /usr/share/nginx/html -d mzlion.com -d www.mzlion.com --agree-tos
# -w 表示域名网站根目录 -d 紧接着域名 -d 紧接着域名 [...]
# 上面的配置表示多个域名共享同一对SSL证书信息
# --agree-tos 表示自动同意相关协议
如果不使用参数 --agree-tos 则会有如下图的提示,需要手动确认。
下面是一些安装过程总的截图
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/mzlion.com/fullchain.pem. Your cert will
expire on 2017-03-05. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you lose your account credentials, you can recover through
e-mails sent to and.mz.yq@gmail.com.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[root@ebs-29770 html]#
配置 Nginx SSL 证书
找到自己服务器的 nginx 配置文件,然后编辑它,修改为如下设置,域名改成自己的,其他的应该都是差不多的。
server {
listen 80;
server_name www.mzlion.com;
#永久重定向到 https 站点
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name www.mzlion.com;
#以下配置用于Let's Encrypt服务端和客户端校验目录配置
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/nginx/html;
}
location = /.well-known/acme-challenge/ {
return 404;
}
#永久重定向到https站点
return 301 https://$server_name$request_uri;
}
server {
#启用 https, 使用 http/2 协议
listen 443 ssl http2;
#ssl
#证书路径
ssl_certificate /etc/letsencrypt/live/mzlion.com/fullchain.pem;
#私钥路径
ssl_certificate_key /etc/letsencrypt/live/mzlion.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mzlion.com/chain.pem;
#可选的加密算法,顺序很重要,越靠前的优先级越高
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
#在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.
ssl_prefer_server_ciphers on;
#以下与证书无关了
location /{
#...省略
}
}
保存配置,重新加载 Nginx 配置或重启:systemctl reload nginx
到这步,Nginx SSL 证书就配置完成了,打开浏览器访问网站就会启用 https,看到绿色安全锁的图标。
自动为证书续期
由于这个证书的时效只有 90 天,我们需要设置自动更新的功能,帮我们自动更新证书的时效。首先先在命令行模拟证书更新:
certbot renew --dry-run
模拟更新成功的效果如下:
[root@ebs-29770 ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mzlion.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mzlion.com
http-01 challenge for www.mzlion.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mzlion.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
[root@ebs-29770 ~]#
在无法确认你的 nginx 配置是否正确时,一定要运行模拟更新命令,确保 certbot 和服务器通讯正常。使用 crontab -e 的命令来启用自动任务,命令行:
crontab -e
添加配置:
30 0 * */2 * /usr/bin/certbot renew >> /var/log/le-renew.log
上面的执行时间为:每隔 2 月的零点 30 分执行 renew 任务。
总结
总体来说配置 Let's 还是比较简单的,因为官方提供了配置工具和自动续期方案,只要我们在 CentOS 下做些简单的配置即可。
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于