letsencrypt让网站上https变得简单无比,自动续期更是爽翻咯

Author: banniwang - Posted:22天前 - View:91

一直使用腾讯云的主机,网站上https也用腾讯的trustAsia免费证书,刚好证书要满一年了,准备再去申请一年的免费证书继续用,由于是个人网站,流量也小,平时只要网站不宕机,基本上不会远程登录,今天登上腾讯云官网去看,才发现从今年4月份开始,腾讯云的trustAsia的免费证书有效期从原来的12个月减少到3个月。

之前有考虑过letsencrypt,因为trustAsia提供的有效期为12个月,现在改来跟letsencrypt一样,那就直接转来使用letsencrypt了,并且letsencrypt有trustAsia不具备的优势:

  • 要过期前会自动续期
  • 一次安装一次配置,终生不管
  • 用户基数大,开源

只需安装一次

(1) 输入以下指令即可开始安装

[root@centos ~]# yum install -y certbot
[root@centos ~]# yum install -y python3-certbot-nginx

注意:以上针对Centos而言,如是Ubuntu,只将yum改为apt即可。

(2) 安装好后直接通过下面指令开始生成证书

[root@centos ~]# certbot certonly --standalone -d www.example.com

当看到以下信息就证明证书生成了。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.example.com/privkey.pem
This certificate expires on 2025-02-17.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

上面的成功信息包含:

  1. 证书创建成功并且证书存放的目录
  2. 证书失效的时间
  3. certbot已在后台创建了自动运行的证书续期脚本

网上看到有很多的文章证书创建成功后,还自己搞了证书续期的定时任务,其实完全不用,从以上信息得知在你创建证书成功后,certbot也一并给你生成续期脚本了,后台会在证书过期前自动运行;当然也有可能网上的那些文章是很早的certbot版本,不清楚早些版本的certbot是否需要自行写证书续期的定时任务。

(3) nginx上配置文件只需如果写入即可:

server {
    listen 80;
    listen 443 ssl;
    http2 on;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ...

完成以上三步,重启服务器,访问网站就带上https了,要让80端口全部转入443端口,就使用301跳转即可。

安装可能遇到的错误

Could not bind TCP port 80?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)etry/(C)ancel: c
Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

原因:开始生成证书之前没有把nginx服务器关闭,关闭即不报错。

Certbot failed to authenticate some domains?
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: www.example.com
  Type:   connection
  Detail: 114.114.114.114: Fetching http://www.example.com/.well-known/acme-challenge/elXOi5MClCNEyu0rX_uQt9lMExXbZUNOySe0Zizp6AM: Connection refused

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

原因:域名没有绑定要生成证书的服务器上,只要把域名解析到服务器上即可。

0 人点赞  ∙  0 人收藏  
加入收藏 点赞 我要评论
目前尚无回复