HTTPS实现及自动续期
HTTPS实现及自动续期
安装certbot
进行安装目录,如:/data1/server (根据实际情况输入)
git clone https://github.com/certbot/certbot
or
git clone https://gitee.com/junwu00/certbot.git
配置nginx
见下面的完整示例注意首次配置时需要只开放80端口,完成证书申请后再配置443端口
申请证书
支持一次性申请多个域名(多个域名共用一份证书)
示例
/data1/server/certbot/letsencrypt-auto --no-self-upgrade certonly \
--webroot -w /data1/webroot/gitlab/certbot/hostname.com \
-d qy.xzdjjd.com \
-d wx.xzdjjd.com \
-d sp.xzdjjd.com \
-d svc.xzdjjd.com
因acemv2问题 可以添加参数 --server https://acme-v02.api.letsencrypt.org/directory
成功后证书一般会位于该目录 /etc/letsencrypt/live/
更新nginx,强制走https
见下面完整示例
更新后重启nginx,并访问网址,检查是https是否正常
自动续期
通过crontab添加定时更新任务
crontab -e
0 3 * * * /data1/tools/certbot/letsencrypt-auto renew --no-self-upgrade --post-hook "/data1/cron/certbot_renew.sh" > /dev/null 2>&1 &
其中certbot_renew.sh为更新证书后,重启nginx让证书生效的脚本,如:
#!/bin/bash
set -xe
#source /etc/profile
# 每天定期重启Nginx,避免ssl证书过期
# 只有测试通过才重启nginx
/data1/server/nginx/1.15.7/bin/sbin/nginx -t
if [ $? -eq 0 ]; then
# 重新启动nginx
/data1/server/nginx/1.15.7/bin/sbin/nginx -s reload
fi
exit $?
完整示例
加密算法(ssl_ciphers)根据实际情况配置,本示例中的算法对CPU消耗较高
server {
listen 443;
ssl on;
ssl_certificate_key /etc/letsencrypt/live/svcs.private.3ruler.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/svcs.private.3ruler.com/fullchain.pem;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 30m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
resolver 119.29.29.29 114.114.114.114 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
server_name svcs.private.3ruler.com;
# access_log /data1/logs/nginx/3ruler/svcs.private.3ruler.com-access_log main;
# error_log /data1/logs/nginx/3ruler/svcs.private.3ruler.com-error_log;
gzip on;
gzip_types text/plain application/javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg;
client_max_body_size 1024m;
location / {
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8921;
proxy_set_header Host $host;
proxy_redirect off;
proxy_connect_timeout 60;
proxy_read_timeout 600;
proxy_send_timeout 600;
}
# 仅用于首次申请证书
# location /.well-known/acme-challenge/ {
# root /data1/webroot/certbot/order/svcs.private.3ruler.com;
# }
}
server {
listen 80;
server_name svcs.private.3ruler.com;
# 续期证书通过该入口
location /.well-known/acme-challenge/ {
root /data1/webroot/certbot/order/svcs.private.3ruler.com;
}
location / {
return 301 https://$http_host$request_uri;
}
}