java多线程    Java入门    vsftp    ftp    linux配置    centos    FRP教程    HBase    Html5缓存    webp    zabbix    分布式    neo4j图数据库    

简单5步 配置letsencrypt免费SSL

发表于 2017-09-27 04:22:26 by 月小升

cd /root
1.下载letsencrypt配置文件和执行包
下载脚本文件

wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh

给予脚本755权限
chmod +x letsencrypt.sh

2.配置letsencrypt.conf文件

vi letsencrypt.conf

# only modify the values, key files will be generated automaticly.
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="javaer.com.key"
DOMAIN_DIR="/www/javaer"
DOMAINS="DNS:java-er.com"
#ECC=TRUE
#LIGHTTPD=TRUE

:wq! 保存

3.执行脚本生成需要的key文件

./letsencrypt.sh letsencrypt.conf

Generate account key...
Generating RSA private key, 4096 bit long modulus
................++
.......................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Generate domain key...
Generating RSA private key, 2048 bit long modulus
................................................................+++
.......................+++
e is 65537 (0x10001)
Generate CSR...java-er.csr
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying java-er.com...
java-er.com verified!
Signing certificate...
Certificate signed!
New cert: javaer.chained.crt has been generated //看到这个说明获取证书成功

生成的文件列表

-rw-r--r-- 1 root root 1675 Sep 26 15:14 intermediate.pem
-rw-r--r-- 1 root root 3243 Sep 26 11:55 javaer-account.key
-rw-r--r-- 1 root root 3432 Sep 26 12:03 java-er.chained.crt
-rw-r--r-- 1 root root 1679 Sep 26 11:55 java-er.com.key
-rw-r--r-- 1 root root 1785 Sep 26 12:03 java-er.crt
-rw-r--r-- 1 root root 920 Sep 26 12:03 java-er.csr
-rw-r--r-- 1 root root 216 Sep 26 12:03 letsencrypt.conf
-rwxr-xr-x 1 root root 2170 Sep 26 11:53 letsencrypt.sh
-rw-r--r-- 1 root root 1647 Nov 17 2016 lets-encrypt-x3-cross-signed.pem

合成完整的证书链条
命令行执行

wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat /root/java-er.crt intermediate.pem > /root/fullchain.pem
 SSLCertificateChainFile "/root/fullchain.pem"

得到一个新文件
-rw-r--r-- 1 root root 3322 Sep 26 15:16 fullchain.pem

4.配置服务器以下linux centos6.4下lampp配置

cd /opt/lampp/etc/extra
vi http-vhost.conf
NameVirtualHost *:80


    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot /www/javaer.com
    ServerName java-er.com
    ErrorLog logs/javaer.com-error_log
    CustomLog logs/javaer.com-access_log common
    RewriteEngine on
    RewriteCond   %{HTTPS} !=on
    RewriteRule   ^(.*)  https://%{SERVER_NAME}$1 [L,R]

保留80端口的访问权限,但是我们做一次跳转

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]

强制http的跳转到https

还有个办法是写自己的.htaccess 

  RewriteEngine on
    RewriteBase / 
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^.* https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

这里才是https配置


    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot /www/javaer.com
    ServerName java-er.com
    SSLEngine on
    SSLCertificateFile "/root/java-er.crt"
    SSLCertificateKeyFile "/root/java-er.com.key"
    SSLCertificateChainFile "/root/fullchain.pem"
    ErrorLog logs/javaer.com-error_log
    CustomLog logs/javaer.com-access_log common

SSLCertificateChainFile "/root/fullchain.pem" 如果没有这个在chrome和firefox里显示正常,都是绿色锁,但是小米手机的浏览器提示证书来自不受信任的机构。

加了这个就都好了。

nignx配置

server {
        listen  443;
		ssl on;
		ssl_certificate /root/java.chained.crt;
		ssl_certificate_key /root/java-er.com.key;
		server_name java-er.com;
        index index.html index.htm index.php;
       root /www/javaer.com;
       ...省略部分...
}
server {
listen 80;
rewrite ^(.*) https://java-er.com$1 permanent;  //强制80转向443
}

5.查看自己的网站

6.自动续期
免费的这家是3个月失效

以下脚本每个月执行一次 写到系统crontab里,自动续签。

0 0 1 * * /root/letsencrypt.sh /root/letsencrypt.conf >> /root/log/lets-encrypt.log 2 > &1

额外的要点:

网站里不能包含任何非https的资源比如加载了sina的jquery http://sina.com/jquery.js

引入了51.la的统计(因为这个我不得放弃了51.la)听说百度免费的统计是https,得换了。

到了过期的时候,发现不好用了。更新出错,如下方式可以修复这个问题

Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 2, in
import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging
ImportError: No module named argparse

1.yum install python-argparse

2.手动安装python-argparse:

wget https://pypi.python.org/packages/source/a/argparse/argparse-1.4.0.tar.gz#md5=08062d2ceb6596fcbc5a7e725b53746f
tar -xzvf argparse-1.4.0.tar.gz
cd argparse-1.4.0
python setup.py install

This entry was posted in Linux and tagged , , . Bookmark the permalink.
月小升QQ 2651044202, 技术交流QQ群 178491360
首发地址:月小升博客https://java-er.com/blog/ssl-letsencrypt-free-5-setps/
无特殊说明,文章均为月小升原创,欢迎转载,转载请注明本文地址,谢谢
您的评论是我写作的动力.

Leave a Reply

近期文章

  1. Centos安装mysql9
  2. certbot 申请Let’s Encrypt泛域名SSL证书
  3. php8 编译zip
  4. docker 快速操作笔记
  5. 软件概要设计和详细设计的区别
  6. Spring AOP理解
  7. Spring IOC的理解
  8. Java的双亲委派模型
  9. JVM中引用的分类
  10. 柔性事务是什么,分布式环境为何要放弃传统事务

标签

    Android Apache cookie frp FTP google HBase html5 iphone java java基础教程 java教程 jQuery linux Linux命令 mac mac软件 MongoDB mysql neo4j nginx nosql php php-fpm php函数 python redis shell SVN swift Ubuntu Windows wordpress wordpress插件 xcode zabbix 值得记忆 图片 多线程 密码 插件 数据库 日志 服务器 缓存

分类

  1. JAVA
  2. Linux
  3. MAC
  4. Perl
  5. PHP
  6. Python
  7. WEB前端
  8. Windows
  9. 互联网观察
  10. 吐槽
  11. 技术管理
  12. 数学与算法
  13. 数据库
  14. 日常随笔
  15. 月小升软件
  16. 电商运营
  17. 科技精品
  18. 程序视点
  19. 网络推广
  20. 运营
  21. 阅读笔记
  22. 高并发与大数据