- 简介
官网:https://letsencrypt.org/
Let’s Encrypt是一个于2015年三季度推出的数字证书认证机构,旨在以自动化流程消除手动创建和安装证书的复杂流程,并推广使万维网服务器的加密连接无所不在,为安全网站提供免费的传输层安全性协议(TLS)证书。
letsencrypt的工作模式
- 部署
对于当域名的vps网站而言,申请证书较为容易,但是对于多域名的vps申请证书,需要按照以下步骤进行。本篇是centos8stream源码安装lnmp的续篇
1)前提
yum install epel-release yum install certbot -y
2)生成DH组
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
3)创建certbot读写目录
mkdir -p /var/lib/letsencrypt/.well-known chgrp nginx /var/lib/letsencrypt chmod g+s /var/lib/letsencrypt
4)添加必要的配置
mkdir /usr/local/nginx/snippets nano /usr/local/nginx/snippets/letsencrypt.conf
添加如下内容:
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
nano /usr/local/nginx/snippets/ssl.conf
添加如下内容:
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:$ ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; add_header Strict-Transport-Security "max-age=63072000" always; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;
5)nginx的vhost添加conf引用
nano /etc/nginx/conf.d/wp.soda101.xyz.conf
添加如下
server{
listen 80;
server_name wp.soda101.xyz;
index index.html index.php;
root /usr/local/nginx/wordpress/;
location ~ \.php$ {
# root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/wordpress/$fastcgi_script_name;
include fastcgi_params;
}
include /usr/local/nginx/snippets/letsencrypt.conf;
}
nginx重启检查配置
systemctl restart nginx
6)获取证书
certbot certonly --webroot -w /var/lib/letsencrypt/ -d wp.soda101.xyz
证书目录
cd /etc/letsencrypt/live/wp.soda101.xyz
查看所有证书
certbot certificates
7)证书的使用
nano /etc/nginx/conf.d/wp.soda101.xyz.conf
修改如下:
server{
listen 80;
listen 443 ssl;
server_name wp.soda101.xyz;
index index.html index.php;
root /usr/local/nginx/wordpress/;
ssl_certificate /etc/letsencrypt/live/wp.soda101.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wp.soda101.xyz/privkey.pem;
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/wordpress/$fastcgi_script_name;
include fastcgi_params;
}
include /usr/local/nginx/snippets/letsencrypt.conf;
include /usr/local/nginx/snippets/ssl.conf;
include /etc/nginx/default.d/*.conf;
}重启nginx
systemctl reload nginx
8)效果
网页打开测试。
9)证书更新
certbot renew #证书更新 certbot renew --dry-run #不满足证书更新,可以测试证书更新,以检查设置
定时更新
systemctl status crond.service systemctl enable crond.service crontab -u root -e 此处采用vim的编辑器,输入i,插入,esc推出,:wq!保存退出 插入如下内容: 00 1 13 * * /usr/bin/certbot renew --quiet 含义:每月13日1点更新 查看定时任务 crontab -l
- 小结
1)证书位置:
/etc/letsencrypt/live/wp.soda101.xyz/
2)附属nginx配置位置
/usr/local/nginx/snippets/letsencrypt.conf /usr/local/nginx/snippets/ssl.conf
3)更新vps下所有证书
certbot renew
4)vhost下的证书更新
# /root/tsak1.sh certbot renew systemctl restart nginx systemctl restart php-fpm systemctl restart redis
- 补充说明
1)若有其他方式获取的正式,为了保证同一个vps上的配置的一致性,需要采用相同的方式将所有的证书全部重新获取一次,再测试
certbot renew --dry-run
即可通过。
2)此种方式需要nginx一直处于运行状态,防火墙也无需特别处理。
参考资料:
- https://zh.wikipedia.org/zh-cn/Let%27s_Encrypt
- https://letsencrypt.org/zh-cn/how-it-works/
- https://www.itcoder.tech/posts/secure-nginx-with-let-s-encrypt-on-centos-8/
- https://www.nhtzj.com/697484412/
- https://blog.csdn.net/qq_35774477/article/details/105677756
- https://www.cnblogs.com/zhimao/p/12402573.html
- https://www.runoob.com/w3cnote/linux-crontab-tasks.html
- https://testerhome.com/articles/25234