ssl证书安装配置和实现https访问

开放443端口

1
2
$ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
$ sudo firewall-cmd --reload

安装Certbot

1
2
$ sudo yum install epel-release
$ sudo yum install certbot

使用可视化安装

1
$ sudo certbot certonly

选择确认并回车后
image
image
image
image

1
2
3
4
5
6
7
8
9
10
11
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.icocoro.me/fullchain.pem. Your cert will
expire on 2016-12-23. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

证书自动续期

测试证书自动续期

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sudo certbot renew --dry-run
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.icocoro.me.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.icocoro.me/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

正式续期证书

1
$ sudo certbot renew

将certbot renew命令加入到cron中定时执行

1
certbot renew --quiet

具体写入crontab中的脚本

1
$ sudo vi /etc/crontab
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed

0 23 28 * * root ./certbot renew --quiet

配置Nginx SSL证书

修改nginx配置

1
$ sudo vi /opt/nginx/conf/nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
server{
listen 80;
server_name blog.icocoro.me *.blog.icocoro.me icocoro.me www.icocoro.me api.icocoro.me api.admin.icocoro.me;
#有效期内用https访问
add_header Strict-Transport-Security max-age=15768000;
#重定向到https
return 301 https://$server_name$request_uri;
}

server {
#启用 https, 使用 http/2 协议
listen 443 ssl http2;
server_name blog.icocoro.me *.blog.icocoro.me;
#禁止被frame
add_header X-Frame-Options DENY;
#不猜测mime类型
add_header X-Content-Type-Options nosniff;

location / {
proxy_pass http://0.0.0.0:4000;
proxy_redirect default;
}

#证书路径
ssl_certificate /etc/letsencrypt/live/www.icocoro.me/fullchain.pem;
#私钥路径
ssl_certificate_key /etc/letsencrypt/live/www.icocoro.me/privkey.pem;
#安全链接可选的加密协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#可选的加密算法
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
#在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.
ssl_prefer_server_ciphers on;
#储存SSL会话的缓存类型和大小
ssl_session_cache shared:SSL:10m;
#缓存有效期
ssl_session_timeout 60m;
}

重启nginx

1
$ sudo /opt/nginx/sbin/nginx

image

注意:需要安装openssl和openssl-devel、nginx需要http_ssl_module和http_v2_module两个模块

1
$ sudo yum -y install openssl*

进入Nginx源码目录[默认/usr/local/nginx]

1
2
3
4
$ sudo ./configure --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module
$ sudo make
$ sudo cp /opt/nginx/sbin/nginx /opt/nginx/sbin/nginx.bak
$ sudo cp ./objs/nginx /opt/nginx/sbin/
邵志鹏 wechat
扫一扫上面的二维码关注我的公众号
0%