(1). 概述
以前申请证书,都是由运维去处理,最近有一些运维的工作要处理,所以,就想自己尝试下申请免费SSL证书,并记录下来.
“参考地址”
(2). 操作步骤
- CentOS 服务器一台(略)
- 域名配置IP解析(略)
- 安装Nginx并配置server
- Certbot申请证书
- 配置nginx支持SSL
(3). 安装nginx
因为我是纯临时性的测试,所以是在root用户下操作.
# 1. 安装nginx
[root@erp ~]# yum -y install nginx
# 2. 启动nginx
[root@erp ~]# nginx
# 3. 查看机器启动了哪些端口
[root@erp ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1367/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 945/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 969/master
tcp6 0 0 :::80 :::* LISTEN 1367/nginx: master
tcp6 0 0 ::1:25 :::* LISTEN 969/master
# 4. 设置开机启动
[root@erp ~]# systemctl enable nginx.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
# 5. nginx应用程序目录
[root@erp ~]# ll /etc/nginx/ |grep conf
drwxr-xr-x 2 root root 4096 Jun 2 08:24 conf.d
-rw-r--r-- 1 root root 2336 Jun 2 08:23 nginx.conf
# 6. 配置server(test.lixin.help.conf)
[root@erp ~]# cat /etc/nginx/conf.d/test.lixin.help.conf
server {
listen 80;
server_name test.lixin.help;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
(4). Certbot申请证书
# ********************************************snapd安装*****************************************************
# 1. 安装yum源
[root@erp ~]# yum -y install epel-release
# 2. 安装snapd
[root@erp ~]# yum -y install snapd
# 3. 设置开机启动
[root@erp ~]# systemctl enable --now snapd.socket
Created symlink from /etc/systemd/system/sockets.target.wants/snapd.socket to /usr/lib/systemd/system/snapd.socket.
# 4. 设置snap软链接
[root@erp ~]# ln -s /var/lib/snapd/snap /usr/sbin/snap
[root@erp ~]# ln -s /var/lib/snapd/snap /snap
[root@erp ~]# systemctl start snapd
# ********************************************certbot安装*****************************************************
# 5. 安装certbot
[root@erp ~]# snap install --classic certbot
[root@erp ~]# snap install core; snap refresh core
# 6. 创建软链接
[root@erp ~]# ln -s /snap/bin/certbot /usr/bin/certbot
# 7. 通过cerbot申请证书
[root@erp ~]# certbot certonly --nginx --nginx-server-root=/etc/nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): **********@126.com # 在这里填写你的邮箱
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y #填写Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y # 填写Y
Account registered.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: test.lixin.help
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 # 选择域要申请SSL的域名
Requesting a certificate for test.lixin.help
# 申请证书成功
Successfully received certificate.
# ***************************************************************************************
# fullchain.pem : 公钥(ssl_certificate)
# privkey.pem : 私钥(ssl_certificate_key)
# ***************************************************************************************
Certificate is saved at: /etc/letsencrypt/live/test.lixin.help/fullchain.pem
Key is saved at: /etc/letsencrypt/live/test.lixin.help/privkey.pem
# 有效期为3个月,需要每隔一段时间进行续租.
This certificate expires on 2022-01-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(5). Nginx配置证书
# 1. 配置nginx支持SSL
[root@erp ~]# cat /etc/nginx/conf.d/test.lixin.help.conf
server {
listen 80;
listen 443 ssl;
listen [::]:443 ssl;
server_name test.lixin.help;
ssl_certificate "/etc/letsencrypt/live/test.lixin.help/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/test.lixin.help/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
# 2. 重启nginx
# 检查下配置
[root@erp conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 热部署nginx
[root@erp conf.d]# nginx -s reload
(6). 通过浏览器验证证书
(7). 续租证书
[root@erp ~]# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.lixin.help.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for test.lixin.help
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/test.lixin.help/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(7). 总结
申请免费的SSL证书,相对来说还是比较简单的.
