【Nginx】使用certbot安装免费https证书使Nginx支持Https请求

certbot官网:https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

一、安装步骤

1)安装certbot,执行 

sudo yum install certbot python2-certbot-nginx

2)检查是否安装成功,执行 

certbot --help
[[email protected] ~]#  certbot --help
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point(‘certbot==0.38.0‘, ‘console_scripts‘, ‘certbot‘)()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 561, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2649, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2303, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2309, in resolve
    module = __import__(self.module_name, fromlist=[‘__name__‘], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 17, in <module>
    from certbot import account
  File "/usr/lib/python2.7/site-packages/certbot/account.py", line 17, in <module>
    from acme import messages
  File "/usr/lib/python2.7/site-packages/acme/messages.py", line 11, in <module>
    from acme import challenges
  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 12, in <module>
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module>
    from . import utils
  File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module>
    from .exceptions import InvalidURL
  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module>
    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
    raise ImportError("No module named ‘%s‘" % (name,))
ImportError: No module named ‘requests.packages.urllib3‘

3)解决上面没有requests.packages.urllib3的问题,执行

pip install --upgrade --force-reinstall ‘requests==2.6.0‘ urllib3

4)安装证书,执行

sudo certbot --nginx

如:

[[email protected] ~]# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable ‘nginx‘ binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

上面提示信息显示没有找到nginx,那么

需要将nginx放到环境变量中,设置nginx软连接

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
ln -s /usr/local/nginx/conf/ /etc/nginx

再次执行就OK了

sudo certbot --nginx 安装证书

5)然后再一步一步的根据提示进行配置 

如:

[[email protected] sbin]# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter ‘c‘ to
cancel): 756623607@qq.com   // 1)设置邮箱,用于安全提示
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a    // 2)同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let‘s Encrypt project and the non-profit
organization that develops Certbot? We‘d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n    // 3)不共享你的邮箱

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: admin.talkilla.jiushiyaokuaile.cn
2: consultant.talkilla.jiushiyaokuaile.cn
3: student.talkilla.jiushiyaokuaile.cn
4: teacher.talkilla.jiushiyaokuaile.cn
5: wechat.talkilla.jiushiyaokuaile.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c‘ to cancel): 1 2 3 4 5  // 4)选择需要激活https的域名
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.talkilla.jiushiyaokuaile.cn
http-01 challenge for consultant.talkilla.jiushiyaokuaile.cn
http-01 challenge for student.talkilla.jiushiyaokuaile.cn
http-01 challenge for teacher.talkilla.jiushiyaokuaile.cn
http-01 challenge for wechat.talkilla.jiushiyaokuaile.cn
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/admin-talkilla.conf
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/consultant-talkilla.conf
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/student-talkilla.conf
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/teacher-talkilla.conf
Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you‘re confident your site works on HTTPS. You can undo this
change by editing your web server‘s configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press ‘c‘ to cancel): 2  // 5)设置是否将http自动重定向到https,1否2是
Redirecting all traffic on port 80 to ssl in /usr/local/nginx/conf/conf.d/admin-talkilla-http.conf
Redirecting all traffic on port 80 to ssl in /usr/local/nginx/conf/conf.d/consultant-talkilla.conf
Redirecting all traffic on port 80 to ssl in /usr/local/nginx/conf/conf.d/student-talkilla.conf
Redirecting all traffic on port 80 to ssl in /usr/local/nginx/conf/conf.d/teacher-talkilla.conf
Redirecting all traffic on port 80 to ssl in /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://admin.talkilla.jiushiyaokuaile.cn,
https://consultant.talkilla.jiushiyaokuaile.cn,
https://student.talkilla.jiushiyaokuaile.cn,
https://teacher.talkilla.jiushiyaokuaile.cn, and
https://wechat.talkilla.jiushiyaokuaile.cn

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=admin.talkilla.jiushiyaokuaile.cn
https://www.ssllabs.com/ssltest/analyze.html?d=consultant.talkilla.jiushiyaokuaile.cn
https://www.ssllabs.com/ssltest/analyze.html?d=student.talkilla.jiushiyaokuaile.cn
https://www.ssllabs.com/ssltest/analyze.html?d=teacher.talkilla.jiushiyaokuaile.cn
https://www.ssllabs.com/ssltest/analyze.html?d=wechat.talkilla.jiushiyaokuaile.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/privkey.pem
   Your cert will expire on 2020-01-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let‘s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

6) 配置自动更新证书

在证书到期之后更新证书,我们可以通过 certbot renew 命令来更新证书

借助 Crontab 来编写一个定时任务,定期强制更新一个这个证书,然后重启 Nginx:

Crontab 通过 crontab -e 命令编辑,通过 crontab -l 查看。

这样就完成了 SSL 安全证书更新了。

使用crontab -e 命令:

0 0 1 * * certbot renew
5 0 1 * * service nginx restart

原文地址:https://www.cnblogs.com/756623607-zhang/p/11638506.html

时间: 2024-11-05 15:47:15

【Nginx】使用certbot安装免费https证书使Nginx支持Https请求的相关文章

购买https证书以及nginx配置https

文章来源运维公会:购买https证书以及nginx配置https 1.https的作用https的全名是安全超文本传输协议,是在http的基础上增加了ssl加密协议.在信息传输的过程中,信息有可能被劫持,从而造成数据的丢失,而如果使用的是https的话,即使信息被劫持,因为在传输过程中,信息是被加密的,所以也能保证数据的安全性. 2.申请证书目前在阿里云或者腾讯云上都可以购买证书,现在以阿里云为例购买证书在阿里云的产品与服务上找到SSL证书点击购买证书,可以看到有免费型的SSL证书.如果是个人使

我的Android进阶之旅------&gt;Android关于HttpsURLConnection一个忽略Https证书是否正确的Https请求工具类

下面是一个Android HttpsURLConnection忽略Https证书是否正确的Https请求工具类,不需要验证服务器端证书是否正确 import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.OutputStream; import java.io.UnsupportedEn

nginx配置阿里云免费ssl证书实现https化

前言 本篇文章主要介绍的是在阿里云免费申请SSL证书,使用nginx配置实现网站HTTPS化. 阿里云免费申请SSL证书实现网站HTTPS化 1.登录阿里云账户,在首页搜索框中模糊搜索SSL,选择SSL证书 2.点击购买证书选项 3.点击免费型DV_SSL,购买 4.支付完成后申请证书 5.填写证书申请信息 6.下载nginx形式的证书 nginx中进行配置 1.下载并安装nginx 2.nginx安装目录下新建cert文件夹,将下载的证书,一共两个文件放入该文件夹 3.进入nginx/conf

Nginx服务器配置沃通免费SSL证书部署HTTPS网站

本文讲解服务器配置SSL证书部署HTTPS网站. 环境是阿里云服务器ECS ,系统是CentOS6 64bit,Web服务器是Nginx.需要SSL模块的支持. 签发SSL证书的CA机构是 沃通电子认证服务有限公司 WoSign CA Limited. 部署HTTPS网站一般需要有服务器的控制权,(云)主机.VPS均可,虚拟主机基本上做不到.具体步骤如下: 方法/步骤 向CA机构申请SSL证书 SSL证书的价格一般较贵,申请之前可以去网上搜索一下,最好选择信任度高.浏览器和移动终端支持较好的机构

免费申请 HTTPS 证书,开启全站 HTTPS

作者:HelloGitHub-追梦人物 文中涉及的示例代码,已同步更新到 HelloGitHub-Team 仓库 HTTP 报文以明文形式传输,如果你的网站只支持 HTTP 协议,那么就有可能遭受到安全攻击.你可以使用 Google 浏览器打开一个 HTTP 协议网站,会发现 Chrome 在网址的左边将这个网站标记为不安全. HTTPS 为 HTTP 报文提供了一个加密传输的通道,这样攻击者就无法窃听或者篡改传输的内容.要启用 HTTPS,必须向一个可信任机构申请一个 HTTPS 证书.专业的

https证书多少钱?https证书有免费的吗?

HTTPS(全称:Hyper Text Transfer Protocol over Secure Socket Layer 或 Hypertext Transfer Protocol Secure,超文本传输安全协议),是以安全为目标的HTTP通道,简单讲是HTTP的安全版. 随着各大浏览器对网络安全的重视,如果网站没有安装https证书的话,就会被浏览器提醒为不安全网站,如果安装了证书的话,网站的地址栏就会显示以https开头的形式,而且会有安全锁的标志.一些企业在计划使用安全证书时会有一个

申请HTTPS证书多少钱?https证书便宜吗?

怎么申请https证书?申请https证书是怎么收费的?https证书需要多少钱?https证书的价格其实与证书品牌以及SSL证书验证方式以及域名数量有关系,接下来我们具体的看看https证书申请的费用. https证书申请费用和品牌有关 1.不同的SSL证书品牌价格不同,比如说:国际知名品牌Symantec.Geotrust.Comodo.Thawte以及RapidSSL, 其中Symantec.Geotrust证书价格最贵,最便宜的都要上千元, 而Comodo.Thawte以及RapidSS

生成自签名ca 证书 使nginx 支持https

创建服务器私钥,命令会让你输入一个口令: $ openssl genrsa -des3 -out server.key 1024 创建签名请求的证书(CSR): $ openssl req -new -key server.key -out server.csr 在加载SSL支持的Nginx并使用上述私钥时除去必须的口令: $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key 最后标记证书使

Nginx基础知识————生成自签名ca 证书 使nginx 支持https

创建服务器私钥,命令会让你输入一个口令: $ openssl genrsa -des3 -out server.key 1024 创建签名请求的证书(CSR): $ openssl req -new -key server.key -out server.csr 在加载SSL支持的Nginx并使用上述私钥时除去必须的口令: $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key 最后标记证书使