环境:CentOS7
站点结构:Nginx 搭配两台Tomcat
1、使用yum 安装 git 和 python
yum install git python -y
2、克隆letsencrypt到本地并进入目录
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
3、获取证书,验证域名所有权(该域名必须绑定到该服务器IP),看到Congratulations!即为成功
./letsencrypt-auto certonly#会进入交互式界面,输入邮箱、同意协议等最后选择验证域名所有权的方式(推荐第二种,简单快捷不需要自己操作)
4、获得的证书所在目录默认为
/etc/letsencrypt/live/你的域名/
5、将SSL证书配置到Nginx(若有防火墙需将443端口开放)
server {
#listen 80;#若不注释则80和443均可访问(80走http,443走https)
listen 443 ssl ;
server_name www.freeprogramming.cn freeprogramming.cn;
ssl_certificate /etc/letsencrypt/live/freeprogramming.cn/fullchain.pem;#证书
ssl_certificate_key /etc/letsencrypt/live/freeprogramming.cn/privkey.pem;#私钥
charset utf-8;
#access_log logs/www.freeprogramming.cn.access.log main;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Real-User $remote_user;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
proxy_cache my_cache;
proxy_pass http://www.freeprogramming.cn;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
若需要将80端口流量直接转发到443端口全部走https则加入以下server
server {
listen 80;
server_name www.freeprogramming.cn freeprogramming.cn;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Real-User $remote_user;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
proxy_cache my_cache;
rewrite ^ https://$server_name$request_uri permanent;
}
}
6、检查配置文件(-t)并重启Nginx(如果显示缺少http_ssl_module模块请自行百度找教程添加上这个模块)
你的Nginx路径 -t -c 你的配置文件路径
/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/config/nginx.conf
7、设置定时器,每月执行一次更新证书(有效期90天,三个月,不满一个月的时候可进行更新)
yum install crontabs -y
systemctl start crond
crontab -e
0 0 1 * * /usr/local/git_repository/letsencrypt/letsencrypt-auto renew #需要
systemctl restart crond