Centos 配置 Let's encrypt

2019/01/15

Centos 配置 Let’s encrypt

前一段时间在忙别的事情,很久没有更新博客。 前面提到我备案域名的过程以及遇到的坑,但是要真正使用起来,还需要配置证书。 因为 Let’s encrypt 免费,所以捣鼓了一下,把整个过程记录了下来,以免后面忘记。

一、准备 acme.sh

1.创建文件夹 ~/.acme.sh

[root@host ~]# cd
[root@host ~]# mkdir .acme.sh 

2.进入目录,执行命令

[root@host ~]# cd .acme.sh/
[root@host .acme.sh]# curl  https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   705  100   705    0     0   1891      0 --:--:-- --:--:-- --:--:-- 10217
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  166k  100  166k    0     0  1176k      0 --:--:-- --:--:-- --:--:-- 2451k
[Tue Dec 25 01:24:50 EST 2018] Installing from online archive.
[Tue Dec 25 01:24:50 EST 2018] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Tue Dec 25 01:24:51 EST 2018] Extracting master.tar.gz
[Tue Dec 25 01:24:51 EST 2018] It is recommended to install socat first.
[Tue Dec 25 01:24:51 EST 2018] We use socat for standalone server if you use standalone mode.
[Tue Dec 25 01:24:51 EST 2018] If you don't use standalone mode, just ignore this warning.
[Tue Dec 25 01:24:51 EST 2018] Installing to /root/.acme.sh
[Tue Dec 25 01:24:51 EST 2018] Installed to /root/.acme.sh/acme.sh
[Tue Dec 25 01:24:51 EST 2018] Installing alias to '/root/.bashrc'
[Tue Dec 25 01:24:51 EST 2018] OK, Close and reopen your terminal to start using acme.sh
[Tue Dec 25 01:24:51 EST 2018] Installing alias to '/root/.cshrc'
[Tue Dec 25 01:24:51 EST 2018] Installing alias to '/root/.tcshrc'
[Tue Dec 25 01:24:51 EST 2018] Installing cron job
15 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Dec 25 01:24:51 EST 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Dec 25 01:24:51 EST 2018] OK
[Tue Dec 25 01:24:51 EST 2018] Install success!

3.取一个别名,方便使用

[root@host .acme.sh]# alias acme.sh=~/.acme.sh/acme.sh

二、准备 nginx 环境

1)配置 nginx yum 源,创建 /etc/yum.repos.d/nginx.repo 文件

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/$basearch/
gpgcheck=0
enabled=1

2)安装 nginx

yum -y install nginx

3)验证安装是否正确

[root@host .acme.sh]# nginx -v
nginx version: nginx/1.14.2

4)配置域名解析。(案例为某讯云)

5)添加 nginx 配置,添加 /etc/nginx/conf.d/yourdomain.conf

upstream gitlab {
  server                    127.0.0.1:9090; # 正常服务地址
}

server {
    listen 80;
    server_name yourdomain.com; # 域名
    # return 301 https://yourdomain.com$request_uri; # 生成证书前关闭跳转
	# 配合acme.sh使用ssl, 验证网站
    location /.well-known/ {
        root /data/server/yourdomain/public;
    }
}

server {
  listen                    443 ssl;
  server_name               yourdomain.com;# 域名
  ssl_certificate           /data/server/yourdomain/public/ssl/yourdomain.com.key.pem;  # 生成证书文件
  ssl_certificate_key       /data/server/yourdomain/public/ssl/yourdomain.com.key;		# 生成证书文件
  ssl_dhparam               /data/server/yourdomain/public/ssl/dhparam.pem;				# 生成证书文件
  server_tokens             off;
  root                      /dev/null;

  # 配合acme.sh使用ssl, 验证网站
  location /.well-known/ {
    root /data/server/yourdomain/public;
  }

  location ~* \.(txt)$ {
    root /data/server/yourdomain/public/;
  }

  location / {
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_set_header        Host              $http_host;
    proxy_set_header        X-Real-IP         $remote_addr;
    proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header        X-Frame-Options   SAMEORIGIN;
    proxy_pass              http://127.0.0.1:9090/;# 正常服务地址
  }
}

三、生成证书

1)生成证书

[root@host ~]# acme.sh --issue  -d yourdomain.com   --nginx
[Tue Dec 25 01:59:41 EST 2018] Single domain='yourdomain.com'
[Tue Dec 25 01:59:41 EST 2018] Getting domain auth token for each domain
[Tue Dec 25 01:59:41 EST 2018] Getting webroot for domain='yourdomain.com'
[Tue Dec 25 01:59:41 EST 2018] Getting new-authz for domain='yourdomain.com'
[Tue Dec 25 01:59:42 EST 2018] The new-authz request is ok.
[Tue Dec 25 01:59:42 EST 2018] Verifying:yourdomain.com
[Tue Dec 25 01:59:42 EST 2018] Nginx mode for domain:yourdomain.com
[Tue Dec 25 01:59:42 EST 2018] Found conf file: /etc/nginx/conf.d/yourdomain.conf
[Tue Dec 25 01:59:42 EST 2018] Backup /etc/nginx/conf.d/yourdomain.conf to /root/.acme.sh/yourdomain.com/backup/yourdomain.com.nginx.conf
[Tue Dec 25 01:59:42 EST 2018] Check the nginx conf before setting up.
[Tue Dec 25 01:59:42 EST 2018] OK, Set up nginx config file
[Tue Dec 25 01:59:42 EST 2018] nginx conf is done, let's check it again.
[Tue Dec 25 01:59:42 EST 2018] Reload nginx
[Tue Dec 25 01:59:46 EST 2018] Success
[Tue Dec 25 01:59:46 EST 2018] Restoring from /root/.acme.sh/yourdomain.com/backup/yourdomain.com.nginx.conf to /etc/nginx/conf.d/yourdomain.conf
[Tue Dec 25 01:59:46 EST 2018] Reload nginx
[Tue Dec 25 01:59:46 EST 2018] Verify finished, start to sign.
[Tue Dec 25 01:59:47 EST 2018] Cert success.
-----BEGIN CERTIFICATE-----
D3JlY29yZC5kdWl1Yi5jbjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFM/MXMh7oNBKA0m477ZvncYW2ktGtX
WxfM7L0eg91H6elOgfZxqIv4sWuPQlz8mbbaGdBM1G43sOhRiHtMV9o8WmZVOiH1
Ix0njB/xsDbDXrJtBxyKHLQF8Sq2bGQfUlih8f/g1wjZyytWTEMnCW/r6Wrynb6b
Wu9Z4EeDRSUilGpL7jWPlJkoiFYazicrVwQnQRijpAABnzlbrKEPJxZN+mKDo4Cl
vSitOaNJGFo6WgfdX97pghIpWGs2CQbfj/OiGfhgX+2mxvKPC9/15cfVca9K7NS+
dcYAv4VEpdm1SQhguxzCAUCT0K+MHpmN/K5kd35V3F0lmHLqJEaq0KsCAwEAAaOC
AmQwggJgMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHqwo=...
-----END CERTIFICATE-----
[Tue Dec 25 01:59:47 EST 2018] Your cert is in  /root/.acme.sh/yourdomain.com/yourdomain.com.cer 
[Tue Dec 25 01:59:47 EST 2018] Your cert key is in  /root/.acme.sh/yourdomain.com/yourdomain.com.key 
[Tue Dec 25 01:59:47 EST 2018] The intermediate CA cert is in  /root/.acme.sh/yourdomain.com/ca.cer 
[Tue Dec 25 01:59:47 EST 2018] And the full chain certs is there:  /root/.acme.sh/yourdomain.com/fullchain.cer

2)复制证书

[root@host ssl]# acme.sh --installcert -d yourdomain.com \
>                --keypath       /data/server/yourdomain/public/ssl/yourdomain.com.key  \
>                --fullchainpath /data/server/yourdomain/public/ssl/yourdomain.com.key.pem \
>                --reloadcmd     "sudo nginx -s reload"
[Tue Dec 25 02:09:25 EST 2018] Installing key to:/data/server/yourdomain/public/ssl/yourdomain.com.key
[Tue Dec 25 02:09:25 EST 2018] Installing full chain to:/data/server/yourdomain/public/ssl/yourdomain.com.key.pem
[Tue Dec 25 02:09:25 EST 2018] Run reload cmd: sudo nginx -s reload
[Tue Dec 25 02:09:25 EST 2018] Reload success

之前需确保目录已经创建好,/data/server/yourdomain/public/ssl

3)生成 dhparam.pem

[root@host ssl]# openssl dhparam -out /data/server/yourdomain/public/ssl/dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........+.............+....................+..+....................................................................................................................................................................................+..........................................................

需要等待一会

5)还原 /etc/nginx/conf.d/yourdomain.conf,放开下面这行

return 301 https://yourdomain.com$request_uri;

4)验证

访问 yourdomain.com,验证是否配置成功。

四、配置证书自动更新

目前证书在 60 天以后acme会自动更新, 你无需任何操作. 今后有可能会缩短这个时间, 不过都是自动的, 你不用关心.

(转载本站文章请注明作者和出处 mylater

Show Disqus Comments

Post Directory