首页 > 其他分享> > 免费https/ssl通配证书(letsencrypt)安装

免费https/ssl通配证书(letsencrypt)安装

2019-05-22 09:50:00 作者：互联网

https://www.qikegu.com/uncategorized/2328

letsencrypt证书简介

https已经是网站标配，要启用HTTPS需要从证书颁发机构(CA)购买证书(一种文件类型)，便宜的有几百1年，贵的要几千甚至上万1年。

现在有了letsencrypt证书，就再也不必为证书花钱了。letsencrypt证书是开源免费的，使用letsencrypt证书只需要证明域名是你的就可以。

安装证书步骤

我们会在centos环境下安装证书，系统环境及要配置的域名：

系统：centos 7
域名：qikegu.com， *.qikegu.com

按以下步骤安装证书

安装letsencrypt证书管理Certbot
生成证书
NGINX配置证书

1. 安装letsencrypt证书管理Certbot

certbot是管理letsencrypt的开源工具：

安装：

# yum install certbot

2. 生成证书

执行命令：

 certbot certonly --preferred-challenges dns --manual -d "*.qikegu.com" -d "qikegu.com"  --server https://acme-v02.api.letsencrypt.org/directory

注意：这里指定了2个域名：*.qikegu.com， qikegu.com，前者通配域名并不包含后者，不包含后者访问qikegu.com会产生无效证书错误。

certonly - 表示安装模式，certbot可以有安装模式和验证模式
-d - 指定域名
--manual 手动安装
--preferred-challenges dns 使用dns方式证明域名所有权
-server - Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本，需要显示指定

过程很简单：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for qikegu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qikegu.com with the following value:

kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qikegu.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qikegu.com/privkey.pem
   Your cert will expire on 2019-07-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

上面操作中，中间有个步骤要求为你的域名添加txt解析，这个步骤就是证明域名是你的。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qikegu.com with the following value:

kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

在域名商（阿里云，腾讯云）域名解析里，添加一条txt记录:

然后在命令行中，按回车键继续，验证通过生成证书。

3. NGINX配置证书

证书已经生成好了，需要配置nginx server，完整配置文件如下：

server {
        charset utf-8;
        client_max_body_size  200M;

        listen   80; ## listen for ipv4; this line is default and implied
        #listen   [::]:80 default ipv6only=on; ## listen for ipv6

        # 把xxx替换成你的域名

        # Make site accessible from server_name
        server_name xxx.com www.xxx.com;
        root /site/xxx;
        index index.html index.htm index.php;

        access_log /var/log/nginx/xxx/access.log;
        error_log /var/log/nginx/xxx/error.log;

        return 301 https://$server_name$request_uri; #redirect http to https

        location / {
                # First attempt to serve request as file, then
                try_files $uri $uri/ /index.php$is_args$args;
        }

        # deny accessing php files for the /assets directory
        location ~ ^/assets/.*\.php$ {
                deny all;
        }

        location ~ \.php$ {
                try_files $uri =404;

                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_pass php:9000;
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
        }

        location ~* /\. {
                deny all;
        }
}

# https server
server {
        charset utf-8;
        client_max_body_size  200M;

        listen 443 ssl;
        #listen   [::]:80 default ipv6only=on; ## listen for ipv6

        ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;

        ssl_session_timeout 5m;

        # 把xxx替换成你的域名

        # Make site accessible from server_name
        server_name xxx.com www.xxx.com;
        root /site/xxx;
        index index.html index.htm index.php;

        access_log /var/log/nginx/xxx/access.log;
        error_log /var/log/nginx/xxx/error.log;
        location / {
                # First attempt to serve request as file, then
                try_files $uri $uri/ /index.php$is_args$args;
        }

        # deny accessing php files for the /assets directory
        location ~ ^/assets/.*\.php$ {
                deny all;
        }

        location ~ \.php$ {
                try_files $uri =404;

                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_pass php:9000;
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_param HTTPS on;
        }

        location ~* /\. {
                deny all;
        }
}

标签：通配,log,证书,xxx,ssl,letsencrypt,qikegu,com
来源： https://www.cnblogs.com/jinbuqi/p/10903981.html