CentOS 7.4 安裝部署SSL證書

時間 2019-11-24

標籤 centos 7.4 安裝部署 ssl 證書欄目 CentOS 简体版

原文原文鏈接

一開始考慮國內，但查閱資料以後轉向了Let's Encryptjavascript

緣由以下

支持泛域名，一次配置全站支持
腳本自動更新 SSL 證書

安裝

安裝

certbot Let’s Encrypt 提供的 HTTPS 證書申請的工具
python2-certbot-nginx 針對 Nginx 的插件，使得 Nginx 運行的服務申請證書更加簡單方便css

# 工具安裝
yum install yum-utils -y
yum install certbot python2-certbot-nginx -y
# 查看
certbot -v
# 生成SSL證書
certbot --nginx
# 此後進入一系列交互
# 贊成協議,郵箱填寫，對於nginx配置檢索出的域名選擇,redirect與否
複製代碼

成功以後會輸出以下信息，不成功注意看報錯信息

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# IMPORTANT NOTES:
# - Congratulations! Your certificate and chain have been saved at:
# /etc/letsencrypt/live/abc.cn/fullchain.pem
# Your key file has been saved at:
# /etc/letsencrypt/live/abc.cn/privkey.pem
# Your cert will expire on 2020-02-12. To obtain a new or tweaked
# version of this certificate in the future, simply run certbot again
# with the "certonly" option. To non-interactively renew *all* of
# your certificates, run "certbot renew"
# - If you like Certbot, please consider supporting our work by:

# Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
# Donating to EFF: https://eff.org/donate-le
複製代碼

certbot會在 nginx 配置中寫入配置以下

server {
  server_name abc.cn www.abc.cn;

  location / {
    root /home/card;
    index index.html index.htm;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/abc.cn/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/abc.cn/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = www.abc.cn) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = abc.cn) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen  80;
  server_name abc.cn www.abc.cn;
    return 404; # managed by Certbot
}
複製代碼

server {
  server_name card.abc.cn;

  server_name_in_redirect off;
  proxy_set_header Host $host:$server_port;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header REMOTE-HOST $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;



  # GZIP
  gzip  on;
  gzip_buffers 32 4k;
  gzip_comp_level 6;
  gzip_min_length 200;
  gzip_types text/css text/xml application/javascript;
  gzip_vary on;

  location / {
    root /home/card-admin/dist;
    index index.html index.htm;
    # 404
    try_files $uri $uri/ @router;
    add_header Cache-Control 'private, no-store, max-age=0';
  }
  location @router {
    rewrite ^.*$ /index.html last;
  }
  location /api {
    # proxy_set_header X-Real-IP $remote_addr;
    # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # proxy_set_header Host $http_host;
    # proxy_set_header X-Nginx-Proxy true;
    # proxy_set_header Connection "";
    # proxy_set_header Cookie $http_cookie;

    proxy_pass http://127.0.0.1:3001;
  }
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   html;
  }
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/abc.cn/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/abc.cn/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = card.abc.cn) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen  80;
  server_name card.abc.cn;
    return 404; # managed by Certbot
}
複製代碼

自動更新證書

Let's Encrypt 證書的有效期是 90 天，可是能夠用腳本去更新html

# # 更新證書
# certbot renew --dry-run

# 若是不須要返回的信息，能夠用靜默方式
certbot renew --quiet
複製代碼

添加自動執行腳本

# 打開 `/etc/crontab`

# 能夠使用crontab定時更新，例如：
# 每個月1號5時執行執行一次更新，並重啓nginx服務器
00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx
複製代碼

踩坑以下

安裝過程當中可能會報錯，環境不同解決方案略有差別
可是都能找到解決方案java

python版本問題,卸載重裝指定版本
'ascii' codec can't decode byte 0xe5 in position 2字符問題,去掉 nginx 配置中的中文註釋
pkg_resources.DistributionNotFound:urllib3＜1.23 ,＞＝1.21.1distribution was not found and is required,執行easy_install urllib3==1.21.1