版权声明:本文供经验交流,欢迎转载 https://blog.csdn.net/qq_31708763/article/details/86667439
1.环境:centos7 BCC
Tomcat+MySQL+jdk
2.lets encrypt官网地址:https://letsencrypt.org
3.安装。
查看是否安装git
git --version
卸载
yum remove git
安装git
yum install -y git
1.使用git获取,比较慢,请等待
git clone https://github.com/letsencrypt/letsencrypt
2.进入目录
cd letsencrypt
3.查看工具用法
./letsencrypt-auto --help
4.运行(会安装一大推依赖,如果国内主机请更换源),如果有端口占用443,请停止
./letsencrypt-auto certonly
然后,Installing Python packages…会卡顿
如果是干净的系统,以上都走的通;
之后,根据提示:输入验证方式,邮箱,是否订阅,域名,网站根目录等。
我输入的是tomcat的ROOT目录,成功之后出现如下信息:
[root@host letsencrypt]# ./certbot-auto certonly --webroot -w /usr/tomcat7.0.92/webapps/ROOT -d www.xxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.xxx.com
Using the webroot path /usr/tomcat7.0.92/webapps/ROOT for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.xxx.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.xxx.com/privkey.pem
Your cert will expire on 2019-04-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[root@host letsencrypt]# 终于卡顿结束:
执行成功后:在/etc/letsencrypt/live/xx.com 目录下有5个文件
/etc/letsencrypt/live/www.xxx.com
cert.pem 服务器证书
chain.pem 根证书中继证书
fullchain.pem ssl证书
privkey.pem 私钥key
我们需要的是3和4,将他们转化为tomcat支持的.jks
进入目录 cd /etc/letsencrypt/live/www.xxx.com
#生成p12
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat_letsencrypt -passin pass:123456 -passout pass:123456
#生成jks
keytool -importkeystore -deststorepass '123456' -destkeypass '123456' -destkeystore tomcat_letsencrypt.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass '123456' -alias tomcat_letsencrypt
更改tomcat配置文件:server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/letsencrypt/live/www.xxx.com/tomcat_letsencrypt.jks"
keystorePass="123456" />
#重启tomcat
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/pogaizai/MyDSKeyStore.jks" keystorePass="yourJKSpass" keyAlias="tomcat" keyPass="yourKeyPass"/>
在浏览器中输入网址测试:https://yourDomain:8443/
成功显示:一把小锁子,点击可以看到证书信息等。
访问:http://yourDomain 还是未加密状态
tomcat强制https:
更改web.xml,在welcome-file-list标签后面添加
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>强制之后,再次http访问会提示:
而且强制redirect port 8443
更改server.xml 8443——>443
443类似80,可以不输入。
再次访问,都将强制跳转https://yourDomain.com
openssl详细命令:https://blog.csdn.net/liao20081228/article/details/77159039 PKCS12
插曲 start
how to check your pip version:
# pip -V
my pip version is 8.1.1, but the latest version is 9.0.1, so I ran following command to upgrade it:
# pip install --upgrade pip
Now check the pip version again:
# pip -V
pip 9.0.1 from /usr/local/lib/python2.7/dist-packages (python 2.7)https://blog.csdn.net/anukram/article/details/78176614
https://blog.csdn.net/lyq8479/article/details/79022888
https://www.cnblogs.com/lzpong/p/6433189.html
https://www.iaodun.com/faq/technical/3008.html
如果是国内主机请更换国内源:(重要)
更换yum源;
http://blog.51cto.com/xiaogongju/2086328
解决pip更新慢;(会卡顿install Python package...)
https://www.jianshu.com/p/5002e4aea6d7
http://blog.51cto.com/lzhnb/2149543
报错:
[root@JaneYork letsencrypt]# ./letsencrypt-auto certonly
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: langpacks, versionlock
Package gcc-4.8.5-36.el7.x86_64 already installed and latest version
Package augeas-libs-1.4.0-6.el7.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-16.el7.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-16.el7.x86_64 already installed and latest version
Package libffi-devel-3.0.13-18.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-87.el7.centos.noarch already installed and latest version
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Package python-devel-2.7.5-76.el7.x86_64 already installed and latest version
Package python-virtualenv-15.1.0-2.el7.noarch already installed and latest version
Package python-tools-2.7.5-76.el7.x86_64 already installed and latest version
Package python2-pip-8.1.2-6.el7.noarch already installed and latest version
Nothing to do
Creating virtual environment...
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/virtualenv.py", line 2327, in <module>
main()
File "/usr/lib/python2.7/site-packages/virtualenv.py", line 712, in main
symlink=options.symlink)
File "/usr/lib/python2.7/site-packages/virtualenv.py", line 944, in create_environment
download=download,
File "/usr/lib/python2.7/site-packages/virtualenv.py", line 900, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python2.7/site-packages/virtualenv.py", line 796, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pip wheel failed with error code 1
[root@JaneYork letsencrypt]# ^C插曲 end
4.续期证书:
#/bin/sh
#续期 说明:只用renew的话,会先检查证书是否需要更新,大概是距离到期还有三天或者十几天之内才会执行更新,否则会提示不需要更新。(昨天更新了证书,今天直接用renew,提示不允许更新)
#这里方便测试,增加参数--force-renew,能够强制立即更新,官网好像有命令可以用于test
#./certbot-auto renew --force-renew
cd /www/letsencrypt/
./certbot-auto renew
#生成p12
cd /etc/letsencrypt/live/yourDomain && openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat_letsencrypt -passin pass:123456 -passout pass:123456
#移动新生成的证书文件
cp /etc/letsencrypt/live/yourDomain/fullchain.pem /mnt/web/letsTemp
cp /etc/letsencrypt/live/yourDomain/privkey.pem /mnt/web/letsTemp
#生成jks文件
#备份并删除原jks文件
mv /etc/letsencrypt/live/yourDomain/tomcat_letsencrypt.jks /etc/letsencrypt/live/www.xxx.com/tomcat_letsencrypt`date '+%Y-%m-%d'`.jks
cd /etc/letsencrypt/live/yourDoamin && keytool -importkeystore -deststorepass '123456' -destkeypass '123456' -destkeystore tomcat_letsencrypt.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass '123456' -alias tomcat_letsencrypt
#重启服务器
/usr/tomcat7.0.92/bin/restartup.sh使用定时任务crontab,执行上述脚本
crontab -e
在打开的编辑器中添加如下内容(每个月1号凌晨3点更新)
0 0 3 * * sh /ts/ssl_auto.sh >/dev/null 2>&1 &
00 12 * * * sh /home/text.sh >> //home/logs/log_$(date +\%Y-\%m-\%d).log 2>&1
2>&1 表示把标准错误输出重定向到与标准输出一致,即xxx.log
详细crontab:https://blog.csdn.net/qq_31708763/article/details/86516523
友情推荐:
Linux上安装Java web开发环境:https://blog.csdn.net/qq_31708763/article/details/86366445