Centos7.0安装 Lets encrypt 的SSL证书

本文链接：https://blog.csdn.net/yangshuai518/article/details/99951202

1.安装Certbot

执行命令   sudo yum install certbot

如果出现下面类似错误：

Running transaction
  Installing : python2-urllib3-1.16-1.el7.noarch                                                                                                                                           1/1
Error unpacking rpm package python2-urllib3-1.16-1.el7.noarch
error: unpacking of archive failed on file /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname: cpio: rename
  Verifying  : python2-urllib3-1.16-1.el7.noarch                                                                                                                                           1/1

Failed:
  python2-urllib3.noarch 0:1.16-1.el7

请执行下面命令

pip uninstall requests
pip uninstall urllib3
yum remove python-urllib3
yum remove python-requests
yum install python-urllib3
yum install python-requests

然后重新执行:  sudo yum install certbot

如果出现：

Installed:
  certbot.noarch 0:0.36.0-1.el7                                                                                                           

Dependency Installed:
  python-requests-toolbelt.noarch 0:0.8.0-1.el7       python2-acme.noarch 0:0.36.0-1.el7       python2-certbot.noarch 0:0.36.0-1.el7      
  python2-requests.noarch 0:2.6.0-0.el7

表示执行成功

2.有服务（例如nginx）占用了443端口，必须先停止

执行命令：certbot certonly --standalone -d www.xxx.com -m xxxx@xxx.com --agree-tos

-d  是你的域名 -m 后面是跟的是邮箱，建议填写真实邮箱。执行过程中要你输入Y or N? 一律输入y 然后回车。

等待一段时间会显示

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.xxxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.xxxx.com/privkey.pem
   Your cert will expire on 2019-11-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

这样就生成成功了！

执行命令查看生成的密钥等：

ll /etc/letsencrypt/live/www.xxxx.com/

cert.pem -> ../../archive/www.xxxx.com/cert1.pem
chain.pem -> ../../archive/www.xxxx.com/chain1.pem
fullchain.pem -> ../../archive/www.xxxx.com/fullchain1.pem
privkey.pem -> ../../archive/www.xxxx.com/privkey1.pem

文件表示的意思：
cert.pem            服务端证书
chain.pem         浏览器需要的所有证书但不包括服务端证书，比如根证书和中间证书
fullchain.pem     包括了cert.pem和chain.pem的内容
privkey.pem       证书的私钥

请保存下来，以备不时之需。

如果需要生成其他的二级域名，重复生成就行了，www.xxxx.com需改成 m.xxxx.com

3.生成nginx需要的dhparam

执行命令：

mkdir /etc/nginx/websites

openssl dhparam -out /etc/nginx/websites/dhparam4096.pem 4096   

当然可以用2048，执行时间会短点，当然4096安全性高，websites可以自定义，自己方便就好。

4.创建SSL文件

cd  /etc/nginx/websites

vim www.xxxx.com.ssl

下面内容复制进去，自己适当修改红色部分，蓝色部分后面有解释。

ssl on;
ssl_certificate /etc/letsencrypt/live/www.xxxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.xxxx.com/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/websites/dhparam4096.pem;
ssl_ciphers HIGH:!ADH:!MD5:!aNULL:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

复制上面代码的时间注意点，我复制的时间开头会掉一个s，变成 sl on;这样启动nginx的时间会报错。

5.配置nginx

 server {
        listen 80;
        server_name *.xxxx.com;
        rewrite ^ https://$server_name$request_uri;
    }

#PC网页端

server {
        listen 443 ssl;
        server_name www.xxxx.com;
        include /etc/nginx/websites/www.xxxx.com.ssl;

        location / { try_files $uri @web_app; }
        location @web_app {
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_set_header X-Forwarded-Proto https;
              proxy_redirect off;
              proxy_pass http://127.0.0.1:8080; #PCtomcat端口
        }
  }

#移动端SSL
 server {
        listen 443 ssl;
        server_name m.xxxx.com;
        include /etc/nginx/websites/m.xxxx.com.ssl;

        location / { try_files $uri @m_app; }
        location @m_app {
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_set_header X-Forwarded-Proto https;
              proxy_redirect off;
              proxy_pass http://127.0.0.1:8081;#移动端tomcat端口
        }
}

6.nginx启动

cd /etc/nginx

nginx

如果出现  [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead 这个警告

请将第4步中蓝色部分的 ssl on 这行注释掉：#ssl on;

OK，你的网站可以https://访问了！！！！！！！！！！！！！！！！！！！

7.删除证书操作

在某些情况下如果需要删除证书，

 certbot delete --cert-name www.xxxx.com

然后你需要从第3步重新开始。

8.更新证书

Let's Encrypt 证书只有 90 天有效期，而且如果更新证书，它只会更新30天内到期的证书。命令行：

/usr/bin/certbot renew --dry-run

 当然我们可以做一个定时任务，每隔2个月更新下证书，早上5点01分进行执行，红色部分根据centos版本不同可能有所不同

01 5 * */2 * /usr/bin/certbot renew --post-hook "service nginx restart" --quiet >> /usr/local/task/cerbottask.log

 --pre-hook 这个参数表示执行更新操作之前要做的事情

--post-hook 这个参数表示执行更新操作完成后要做的事情

然后启动定时任务

crontab certbot-auto-renew-cron

9.tomcat支持

由于本人使用的是spring boot带的tomcat，所有默认开启了ssl支持

如果你是自己单独使用的tomcat需要自己配置如下：

一、在 Connector 节点增加 proxyPort="443"

1. <Connector port="8080" protocol="HTTP/1.1"

2. connectionTimeout="20000"

3. redirectPort="8443" proxyPort="443" />

二、添加如下 Value 节点

1. <Valve className="org.apache.catalina.valves.RemoteIpValve"

2. remoteIpHeader="x-forwarded-for"

3. remoteIpProxiesHeader="x-forwarded-by"

4. protocolHeader="x-forwarded-proto" />