Nginx+Tomcat反向代理利用certbot實現https

1、利用Let's Encrypt 免費生成HTTPS證書

一、下載安裝certbot(Let's Encrypt )

二、利用certbot生成證書

三、配置nginx的https證書

安裝cerbot

[root@hz1 ~]# wget https://dl.eff.org/certbot-auto

[root@hz1 ~]# chmod a+x certbot-auto

[root@hz1 ~]#./certbot-auto　

 

利用certbot生成證書

[root@hz1 certbot]# ./certbot-auto certonly --email  zhai.junming@timecash.cn --agree-tos --webroot -w  /alidata1/www/timecash22/api3  -d  xxxx.zjm.cn/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6

  DeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for xxx.zjm.cn

Using the webroot path /alidata1/www/timecash22/api3 for all unmatched domains.

Waiting for verification...

Cleaning up challenges

 

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at

   /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem. Your

   cert will expire on 2017-09-06. To obtain a new or tweaked version

   of this certificate in the future, simply run certbot-auto again.

   To non-interactively renew *all* of your certificates, run

   "certbot-auto renew"

 - If you like Certbot, please consider supporting our work by:

 

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le


-w:指定域名的根目錄

-d:指定域名

Note:證書已經生成到了/etc/letsencrypy/live/xxx.zjm.cn下

Nginx配置https證書

#http訪問

        server {   

        listen       80;

        server_name  www.xxx.cn;

        return     301  https://$server_name$request_uri;

    }

#https訪問   

   server {

        listen 443 ssl;

        server_name www.xxx.cn;

        ssl_certificate /etc/letsencrypt/live/www.xxx.cn/fullchain.pem;

       ssl_certificate_key/etc/letsencrypt/live/www.xxx.cn/privkey.pem;

     ssl_trusted_certificate/etc/letsencrypt/live/www.xxx.cn/chain.pem;

     ssl_dhparam /etc/nginx/ssl/dhparam.pem;

 

          location  / {

                        proxy_pass http://www.xxx.cn/;

                      }

           }

ssl_certificate和ssl_certificate_key分別對應fullchain.pem,privkey.pem

ssl_dhparam經過如下命令生成

$ mkdir /etc/nginx/ssl

$ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

 

 

自動更新https證書

因爲這個免費的證書只有90天的使用時間,因此遇到定時更新如下證書,這裏是利用certbot每隔一段時間自動更新證書

手動執行更新

./certbot-auto  renew --dry-run

 

結合crontab每隔一段時間自動更新證書

30 2 * * 1 ./certbot-auto  renew  >> /var/log/le-renew.log

PS：

        一、生成證書的時候切記-w參數後邊的站點目錄要寫對，否則會報錯

   二、只需配nginx支持https就好，tomcat不用配置

         三、前端代碼和後端接口必須支持https