java多线程    Java入门    vsftp    ftp    linux配置    centos    FRP教程    HBase    Html5缓存    webp    zabbix    分布式    neo4j图数据库    

简单5步 配置letsencrypt免费SSL

cd /root
1.下载letsencrypt配置文件和执行包
下载脚本文件

wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh

给予脚本755权限
chmod +x letsencrypt.sh

2.配置letsencrypt.conf文件

vi letsencrypt.conf

# only modify the values, key files will be generated automaticly.
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="javaer.com.key"
DOMAIN_DIR="/www/javaer"
DOMAINS="DNS:java-er.com"
#ECC=TRUE
#LIGHTTPD=TRUE

:wq! 保存

3.执行脚本生成需要的key文件

./letsencrypt.sh letsencrypt.conf

Generate account key...
Generating RSA private key, 4096 bit long modulus
................++
.......................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Generate domain key...
Generating RSA private key, 2048 bit long modulus
................................................................+++
.......................+++
e is 65537 (0x10001)
Generate CSR...java-er.csr
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying java-er.com...
java-er.com verified!
Signing certificate...
Certificate signed!
New cert: javaer.chained.crt has been generated //看到这个说明获取证书成功

生成的文件列表

-rw-r--r-- 1 root root 1675 Sep 26 15:14 intermediate.pem
-rw-r--r-- 1 root root 3243 Sep 26 11:55 javaer-account.key
-rw-r--r-- 1 root root 3432 Sep 26 12:03 java-er.chained.crt
-rw-r--r-- 1 root root 1679 Sep 26 11:55 java-er.com.key
-rw-r--r-- 1 root root 1785 Sep 26 12:03 java-er.crt
-rw-r--r-- 1 root root 920 Sep 26 12:03 java-er.csr
-rw-r--r-- 1 root root 216 Sep 26 12:03 letsencrypt.conf
-rwxr-xr-x 1 root root 2170 Sep 26 11:53 letsencrypt.sh
-rw-r--r-- 1 root root 1647 Nov 17 2016 lets-encrypt-x3-cross-signed.pem

合成完整的证书链条
命令行执行

wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat /root/java-er.crt intermediate.pem > /root/fullchain.pem
 SSLCertificateChainFile "/root/fullchain.pem"

得到一个新文件
-rw-r--r-- 1 root root 3322 Sep 26 15:16 fullchain.pem

4.配置服务器以下linux centos6.4下lampp配置

cd /opt/lampp/etc/extra
vi http-vhost.conf
NameVirtualHost *:80


    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot /www/javaer.com
    ServerName java-er.com
    ErrorLog logs/javaer.com-error_log
    CustomLog logs/javaer.com-access_log common
    RewriteEngine on
    RewriteCond   %{HTTPS} !=on
    RewriteRule   ^(.*)  https://%{SERVER_NAME}$1 [L,R]

保留80端口的访问权限,但是我们做一次跳转

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]

强制http的跳转到https

还有个办法是写自己的.htaccess

  RewriteEngine on
    RewriteBase / 
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^.* https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

这里才是https配置


    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot /www/javaer.com
    ServerName java-er.com
    SSLEngine on
    SSLCertificateFile "/root/java-er.crt"
    SSLCertificateKeyFile "/root/java-er.com.key"
    SSLCertificateChainFile "/root/fullchain.pem"
    ErrorLog logs/javaer.com-error_log
    CustomLog logs/javaer.com-access_log common

SSLCertificateChainFile "/root/fullchain.pem" 如果没有这个在chrome和firefox里显示正常,都是绿色锁,但是小米手机的浏览器提示证书来自不受信任的机构。

加了这个就都好了。

nignx配置

server {
        listen  443;
		ssl on;
		ssl_certificate /root/java.chained.crt;
		ssl_certificate_key /root/java-er.com.key;
		server_name java-er.com;
        index index.html index.htm index.php;
       root /www/javaer.com;
       ...省略部分...
}
server {
listen 80;
rewrite ^(.*) https://java-er.com$1 permanent;  //强制80转向443
}

5.查看自己的网站

6.自动续期
免费的这家是3个月失效

以下脚本每个月执行一次 写到系统crontab里,自动续签。

0 0 1 * * /root/letsencrypt.sh /root/letsencrypt.conf >> /root/log/lets-encrypt.log 2 > &1

额外的要点:

网站里不能包含任何非https的资源比如加载了sina的jquery http://sina.com/jquery.js

引入了51.la的统计(因为这个我不得放弃了51.la)听说百度免费的统计是https,得换了。

到了过期的时候,发现不好用了。更新出错,如下方式可以修复这个问题

Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 2, in
import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging
ImportError: No module named argparse

1.yum install python-argparse

2.手动安装python-argparse:

wget https://pypi.python.org/packages/source/a/argparse/argparse-1.4.0.tar.gz#md5=08062d2ceb6596fcbc5a7e725b53746f
tar -xzvf argparse-1.4.0.tar.gz
cd argparse-1.4.0
python setup.py install


This entry was posted in Linux and tagged , , . Bookmark the permalink.
月小升QQ 2651044202, 技术交流QQ群 178491360
首发地址:月小升博客https://java-er.com/blog/ssl-letsencrypt-free-5-setps/
无特殊说明,文章均为月小升原创,欢迎转载,转载请注明本文地址,谢谢
您的评论是我写作的动力.

Leave a Reply