标签归档:nginx

Linux Nginx网站:Certbot安装配置Lets Encrypt SSL免费HTTPS加密证书

实验环境:CentOS Linux release 7.3.1611 (Core)
内核版本:Linux version 3.10.0-514.el7.x86_64
Nginx版本: Nginx-1.13.0

Let’s Encrypt是一个免费的、自动化、开放的证书颁发机构。由Mozilla、Cisco、Chrome、facebook、Akamai等众多公司和机构发起的,其安全稳定及其可靠。具体信息可以去letsencrypt官方网站了解详情。

今天我们就充分利用Lets Encrypt让你的网站实现https加密。

官网://letsencrypt.org/

1.安装certbot及源扩展包

$ yum install -y epel-release

Certbot是Let’s Encrypt官方指定推荐的客户端。通过 Certbot,你可以自动化部署 Let’s Encrypt SSL证书,以便为网站加上HTTPS加密支持。

$ yum install certbot
$ certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
//你是希望如何使用ACME CA进行身份验证?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
//将文件放在webroot目录
2: Spin up a temporary webserver (standalone)
//使用临时Web服务器(独立目录)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):1 【选择1回车】
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):su@renwole.com【输入您的邮箱地址,用于紧急更新和安全通知】

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
//letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
//acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A【选择A回车同意服务条款,C为拒绝】
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:Y【您是否愿意分享您的电子邮件地址,建议选择Y回车】
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): blog.renwole.com【输入域名回车】
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for blog.renwole.com
Select the webroot for blog.renwole.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
//输入网站绝对路径
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel):1【选择数字1回车】
Input the webroot for blog.renwole.com: (Enter 'c' to cancel):/home/www/blog.renwole.com【输入网站所在绝对路径回车】
Waiting for verification...
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/blog.renwole.com/fullchain.pem. Your cert
will expire on 2017-08-09. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: //letsencrypt.org/donate
Donating to EFF:

恭喜!您的SSL证书和密钥链接已保存,你的证书将于2017-08-09到期。

注意:这里需要说明,在生成证书之前,你必须保证nginx 443端口是运行状态,否则会生成证书失败。

2.自动续订

Certbot可以配置为在证书过期之前自动更新证书。由于Let’s Encrypt SSL证书有效期时间为90天,所以建议您利用此功能。您可以通过运行以下命令来测试证书的自动续订:

$ sudo certbot --nginx certonly

如果以上正常工作,你可以通过添加运行以下操作的cron或systemd定时任务安排自动更新:

certbot renew

我们写一个自动执行脚本,建议每小时执行一次:

$ sudo crontab -e

添加以下内容:

0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

保存并退出!

通过命令查看是否添加成功:

$ crontab -l
0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

重启crontab

$ systemctl status crond.service
$ systemctl restart crond.service

通过命令观察 crontab 是否执行:

$ tail -f /var/log/cron

证书是否续订成功,可以通过以下命令管理查看证书信息:

$ certbot certificates

更多Certbot命令请参阅官方文档 //certbot.eff.org/docs/

3.配置nginx.conf
接下来修改Nginx配置文件,修改sever段,去掉相应注释,将生成的SSL证书填写到ssl_certificate后面,将生成的密钥填写到ssl_certificate_key后面,保存并重启nginx服务器即可。

# vi /usr/local/nginx/conf/nginx.conf

server {
 listen 443 ssl;

 ssl_certificate /etc/letsencrypt/live/blog.renwole.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/blog.renwole.com/privkey.pem;

# ssl_session_cache shared:SSL:1m;
 ssl_session_timeout 5m;

# ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;

# location / {
 # root html;
 # index index.html index.htm;
 # }
 }

使用谷歌浏览器访问//blog.renwole.com/可以看到绿色的安全小锁图标,说明网站已经https加密成功。

linux Nginx1.12.0平滑升级到新版本nginx-1.13.3

本篇演示生产环境:Centos7.3 64位 最小化安装版。

1.查看当前Nginx版本信息。代码如下:

# /usr/local/nginx/sbin/nginx -V
 nginx version: nginx/1.12.0
 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
 built with OpenSSL 1.0.1e-fips 11 Feb 2013
 TLS SNI support enabled
 configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-pcre --with-http_v2_module --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_image_filter_module --with-mail --with-threads --with-mail_ssl_module --with-stream_ssl_module

2.下载nginx-1.13.3版本到/usr/local/下,解压并进入解压后的目录。代码如下:

 # cd /usr/local/
 # wget //nginx.org/download/nginx-1.13.3.tar.gz
 # wget //www.openssl.org/source/openssl-1.1.0e.tar.gz //下载最新openssl
 # tar zxvf openssl-1.1.0e.tar.gz //解压文件
 # tar zxvf nginx-1.13.3.tar.gz
 # cd nginx-1.13.3

3.查看nginx版本的时候,configure后面有一大串模块,这也是你第一次安装nginx时所指定的模块,升级的时候也要同时指定,也可以添加其他模块。代码如下:

./configure \
 --prefix=/usr/local/nginx \
 --user=www \
 --group=www \
 --with-pcre \
 --with-openssl=/tmp/openssl-1.1.0e \
 --with-http_ssl_module \
 --with-http_v2_module \
 --with-http_realip_module \
 --with-http_addition_module \
 --with-http_sub_module \
 --with-http_dav_module \
 --with-http_flv_module \
 --with-http_mp4_module \
 --with-http_gunzip_module \
 --with-http_gzip_static_module \
 --with-http_random_index_module \
 --with-http_secure_link_module \
 --with-http_stub_status_module \
 --with-http_auth_request_module \
 --with-http_image_filter_module \
 --with-mail \
 --with-threads \
 --with-mail_ssl_module \
 --with-stream_ssl_module \
 # make

4.注意:make完以后,执行下面代码。不需要执行make install,否则会覆盖安装,nginx服务会出现各种问题。

不中断nginx web服务器的正常运行称之为平滑升级,先重命名之前的nginx二进制文件。代码如下:

# mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak

拷贝刚编译新生产的Nginx二进制文件到/usr/local/nginx/sbin/目录;代码如下:

# cp /usr/local/nginx-1.13.3/objs/nginx /usr/local/nginx/sbin/

5.开始执行升级命令。代码如下:

# cd /usr/local/nginx-1.13.3
 # make upgrade
 /usr/local/nginx/sbin/nginx -t
 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
 nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
 kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
 sleep 1
 test -f /usr/local/nginx/logs/nginx.pid.oldbin
 kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`

6.再次查看nginx升级后的版本信息。代码如下:

# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.13.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled

可以看到已经成功升级到1.13.3,本文教程可用于生产环境当中。希望能帮到大家。转载请注明!