Nginx自动化部署Let‘s Encrypt证书并续期

HTTP和HTTPS分别是什么

HTTP协议是超文本传输协议的缩写，英文是Hyper Text Transfer Protocol。它是从WEB服务器传输超文本标记语言(HTML)到本地浏览器的传送协议。

HTTPS（全称：Hypertext Transfer Protocol over Secure Socket Layer），是以安全为目标的HTTP通道，简单讲是HTTP的安全版。即HTTP下加入SSL层，HTTPS的安全基础是SSL，

HTTP和HTTPS的主要区别是什么

1.https协议需要到CA申请证书，一般免费证书较少，因而需要一定费用。

2.http是超文本传输协议，信息是明文传输，https则是具有安全性的ssl/tls加密传输协议。

3.http和https使用的是完全不同的连接方式，用的端口也不一样，前者是80，后者是443。

4.http的连接很简单，是无状态的；HTTPS协议是由SSL/TLS+HTTP协议构建的可进行加密传输、身份认证的网络协议，比http协议安全。

如何获取SSL证书呢？

理论上，我们自己也可以签发 SSL 安全证书，但是我们自己签发的安全证书不会被主流的浏览器信任，所以我们需要被信任的证书授权中心（ CA ）签发的安全证书。而一般的 SSL 安全证书签发服务都比较贵，比如 Godaddy 、 GlobalSign 等机构签发的证书一般都需要20美金一年甚至更贵，不过为了加快推广 https 的普及， EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG （ Internet Security Research Group ），这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。这个免费证书不仅免费，而且还相当好用，所以我们就可以利用 Let’s Encrypt 提供的免费证书部署 https 了。那么怎么获得 Let’s Encrypt 安全证书，并且将它部署在自己的网站服务器上呢？
Let’s Encrypt 及 Certbot 简介

Let’s Encrypt 是一个叫 ISRG （ Internet Security Research Group ，互联网安全研究小组）的组织推出的免费安全证书计划。参与这个计划的组织和公司可以说是互联网顶顶重要的先驱，除了前文提到的三个牛气哄哄的发起单位外，后来又有思科（全球网络设备制造商执牛耳者）、 Akamai 加入，甚至连 Linux 基金会也加入了合作，这些大牌组织的加入保证了这个项目的可信度和可持续性。

后来 ISRG 的发起者 EFF （电子前哨基金会）为 Let’s Encrypt 项目发布了一个官方的客户端 Certbot ，利用它可以完全自动化的获取、部署和更新安全证书。这真是非常容易、方便呀，所以我们就可以直接使用官方客户端，不需要再使用第三方的工具了。

查询证书到期时间

sudo certbot certificates

Certbot 为 nginx 配置证书
1.安装Certbot

sudo yum install -y epel-release && sudo yum install certbot python2-certbot-nginx

2.将解析的二级域名写到配置文件的server_name中并确保配置文件无错误再继续操作

sudo nginx -t

配置文件示例

server {
server_name atp.meimeida.one;
root /data/wwwroot/atp ;

access_log /data/wwwlog/atp.meimeida-access.log main;
error_log /data/wwwlog/atp.meimeida-error.log;

location / {
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?s=/$1 last;
break;
}

index index.php index.html error/index.html;
error_page 400 /error/400.html;
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 500 /error/500.html;
error_page 501 /error/501.html;
error_page 502 /error/502.html;
error_page 503 /error/503.html;
error_page 504 /error/504.html;
error_page 505 /error/505.html;
error_page 506 /error/506.html;
error_page 507 /error/507.html;
error_page 509 /error/509.html;
error_page 510 /error/510.html;
autoindex off;
}

location ~ \.php(.*)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;
}

3.生成证书

[root@localhost conf.d]certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): lixinupss@126.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): atp.meimeida.one
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bbs.wzlinux.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://atp.meimeida.one
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=atp.meimeida.one
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/atp.meimeida.one/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/atp.meimeida.one/privkey.pem
Your cert will expire on 2019-07-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

按照提示输入自己的信息即可

如果希望自己手动部署nginx证书可以使用下面的命令

certbot --nginx certonly

4.配置证书

执行 certbot --nginx后会自动在我们nginx的配置文件中添加一些内容

server {
server_name atp.meimeida.one;
root /data/wwwroot/atp ;

access_log /data/wwwlog/atp.meimeida-access.log main;
error_log /data/wwwlog/atp.meimeida-error.log;

location / {
           if (!-e $request_filename) {
               rewrite ^(.*)$ /index.php?s=/$1 last;
               break;
           }

index index.php index.html error/index.html;
error_page 400 /error/400.html;
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 500 /error/500.html;
error_page 501 /error/501.html;
error_page 502 /error/502.html;
error_page 503 /error/503.html;
error_page 504 /error/504.html;
error_page 505 /error/505.html;
error_page 506 /error/506.html;
error_page 507 /error/507.html;
error_page 509 /error/509.html;
error_page 510 /error/510.html;
autoindex off;
}

location ~ \.php(.*)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/atp.meimeida.one/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/atp.meimeida.one/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = atp.meimeida.one) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name atp.meimeida.one;
listen 80;
return 404; # managed by Certbot
红色的就是执行certbot --nginx 添加进去的内容

5.证书更新

出于安全策略， Let’s Encrypt 签发的证书有效期只有 90 天，所以需要每隔三个月就要更新一次安全证书，虽然有点麻烦，但是为了网络安全，这是值得的也是应该的。好在 Certbot 也提供了很方便的更新方法。

测试一下更新，这一步没有在真的更新，只是在调用 Certbot 进行测试。

certbot renew --dry-run

无论证书是否过期，强制更新

certbot renew --force-renewal

添加一个定时任务，让服务器定时请求进行更新

0 05 L */2 * /usr/bin/certbot renew --force-renewal

Nginx自动化部署Let‘s Encrypt证书并续期相关推荐

nginx自动化部署脚本
使用方法: 将nginx的源码包解压到本地目录,然后将这个脚本拷贝到解压出来的nginx目录中执行执行方式: sh nginx_install.sh $1 $2 $1为安装目录,$2为n ...
jenkins+gitee+nginx自动化部署（ssh，gitee勾子）
一.jenkins配置里面命令shell npm install npm run build ls -al tar -zcvf dist.tar ./dist gitee里面的配置
利用Certbot工具快速给网站部署Let's Encrypt免费SSL证书
使用https证书的话,强制使用域名很多商家也都提供免费证书,比如腾讯云提供免费一年GeoTrust DV SSL证书.Let's Encrypt永久免费但需要90天激活一次续约,当然如果要购买证书 ...
运维(1) Jenkinsfile+Dockerfile+Nginx实现前端Vue自动化部署
一.前言本文将基于以下环境通过Dockerfile+Jenkinsfile+Nginx 以jenkins流水线的方式实现前端Vue自动化部署 Docker version 1.13.1, build ...
基于docker jenkins nginx gitee实现前端自动化部署
部署对比手动部署平时我们在上线一个新项目的时候,可能需要先执行打包指令,然后登录服务器,将dist包丢到服务器nginx/html的文件下,看似很简单,但是当项目频繁迭代,一直重复性的操作也是很浪 ...
Nginx服务器部署SSL证书
http://jingyan.baidu.com/article/154b463178eac928ca8f41a9.html SSL证书也称为服务器证书,是遵守全球统一的严格身份认证的SSL协议的一种 ...
手把手教你配置：Jenkins+Github+Webhook +Nginx自动化打包部署Vue项目
前面的话为了前端项目的工程化,减少项目发布环境的部署,实现自动化打包部署. 传统的做法,在服务器初始一个 git 仓库,然后每次代码更新后,手动去拉取,次数多了也就烦了,而自动化打包部署每次只需在项 ...
centos+jenkins+nginx+gitlab前端自动化部署全记录
0. 前言我们在开发一个新的项目时,总是需要将前端部署到测试服务器上,给测试或者产品访问.简单的来说,如果想部署前端到服务器,服务器需要提供一个服务来访问前端.如果我们在开发中没有涉及Node.js ...
docker-compose创建nginx并部署ssl证书，阿里云ssl证书
阿里云有免费证书,地址:数字证书管理服务管理控制台 - 概览 (aliyun.com) 免费证书好像要达到什么条件才有,一般域名多肯定有的. 官方基于nginx的教程:在Nginx或Tengine服务 ...

Nginx自动化部署Let‘s Encrypt证书并续期

Nginx自动化部署Let‘s Encrypt证书并续期相关推荐

最新文章

热门文章