HTTPS实现及自动续期

HTTPS实现及自动续期

安装certbot

进行安装目录,如:/data1/server (根据实际情况输入)
git clone https://github.com/certbot/certbot

or

git clone https://gitee.com/junwu00/certbot.git

配置nginx

见下面的完整示例
注意首次配置时需要只开放80端口,完成证书申请后再配置443端口

申请证书

支持一次性申请多个域名(多个域名共用一份证书)

示例

/data1/server/certbot/letsencrypt-auto --no-self-upgrade certonly \
 --webroot -w /data1/webroot/gitlab/certbot/hostname.com \
 -d qy.xzdjjd.com \
 -d wx.xzdjjd.com \
 -d sp.xzdjjd.com \
 -d svc.xzdjjd.com
因acemv2问题 可以添加参数 --server https://acme-v02.api.letsencrypt.org/directory

成功后证书一般会位于该目录 /etc/letsencrypt/live/

更新nginx,强制走https

见下面完整示例
更新后重启nginx,并访问网址,检查是https是否正常

自动续期

通过crontab添加定时更新任务

crontab -e

0 3 * * * /data1/tools/certbot/letsencrypt-auto renew --no-self-upgrade --post-hook "/data1/cron/certbot_renew.sh" > /dev/null 2>&1 &

其中certbot_renew.sh为更新证书后,重启nginx让证书生效的脚本,如:

#!/bin/bash
set -xe
#source /etc/profile

# 每天定期重启Nginx,避免ssl证书过期
# 只有测试通过才重启nginx
/data1/server/nginx/1.15.7/bin/sbin/nginx -t 
if [ $? -eq 0 ]; then 
    # 重新启动nginx
    /data1/server/nginx/1.15.7/bin/sbin/nginx -s reload
fi

exit $?

完整示例

加密算法(ssl_ciphers)根据实际情况配置,本示例中的算法对CPU消耗较高

 


server {
    listen      443;
    ssl on;
    ssl_certificate_key /etc/letsencrypt/live/svcs.private.3ruler.com/privkey.pem;
    ssl_certificate /etc/letsencrypt/live/svcs.private.3ruler.com/fullchain.pem;

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;   
    ssl_session_cache shared:SSL:30m;
    ssl_session_timeout  30m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    resolver 119.29.29.29 114.114.114.114 valid=300s;
    resolver_timeout 10s;

    add_header Strict-Transport-Security max-age=63072000;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;    

    server_name svcs.private.3ruler.com;
#    access_log  /data1/logs/nginx/3ruler/svcs.private.3ruler.com-access_log main;
#    error_log  /data1/logs/nginx/3ruler/svcs.private.3ruler.com-error_log;

    gzip on;
    gzip_types text/plain application/javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg;

    client_max_body_size 1024m;

    location / {
        proxy_set_header REMOTE_ADDR $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://127.0.0.1:8921;
        proxy_set_header Host $host;
        proxy_redirect off;
        proxy_connect_timeout 60;
        proxy_read_timeout 600;
        proxy_send_timeout 600;
    }

#    仅用于首次申请证书
#    location /.well-known/acme-challenge/ {
#        root /data1/webroot/certbot/order/svcs.private.3ruler.com;
#    }

}

server {
    listen      80;
    server_name svcs.private.3ruler.com;

#   续期证书通过该入口
    location /.well-known/acme-challenge/ {
        root /data1/webroot/certbot/order/svcs.private.3ruler.com;
    }

    location / {
        return 301 https://$http_host$request_uri;
    }
}

 

 

posted @ 2019-09-19 11:35  陈俊武  阅读(1536)  评论(0编辑  收藏  举报