Let's Encrypt is a free security certificate program launched by an organization called ISRG (Internet Security Research Group). The organizations and companies participating in this project can be said to be the most important pioneers of the Internet. In addition to the three courageous sponsors mentioned above, Cisco (the global network equipment manufacturer's leader), Akamai joined, and even Even the Linux Foundation has joined the cooperation, and the joining of these big-name organizations guarantees the credibility and sustainability of this project
Later, ERG (Electronic Outpost Foundation), the initiator of ISRG, released an official client Certbot for Let's Encrypt project, which can be used to obtain, deploy and update security certificates completely automatically. This is really easy and convenient, so we can use the official client directly without using third-party tools. Although third-party tools can also be used, official tools are more authoritative and have fewer risks, and they are easier to solve when encountering problems. After all, there is official support.
initial preparation work
- The domain name must be filed for domestic deployment. If it has not been filed, 1 the automatic download of the certificate cannot be verified. 2 is the same, even after manually downloading the certificate configuration, it cannot be accessed
- Domain name DNS resolution mapped to nginx server
Configuration content reference: https://blog.51cto.com/wzlinux/2385116
First, install certbot
The official website address https://certbot.eff.org/ , the installation method refers to the official recommended steps
yum install certbot python2-certbot-nginx
Second, obtain the certificate (there are manual acquisition, automatic acquisition with certbot, etc. The following is mainly to explain automatic acquisition)
certbot certonly: means only install the certificate, configure nginx manually, or follow the step-by-step instructions without adding certonly
--nginx-server-root: specify the nginx conf directory, sometimes nginx is installed from the source code or changed conf The path needs to be displayed and specified. If it is not configured, the default is to find
it in /etc/nginx/nginx.conf. If the path is not /etc/nginx/nginx.conf, an error will be reported.
-D Specify the domain name. You can also fill in multiple
-m to set the mailbox. Will email reminder
to replace the following domain.com and [email protected] with your own domain name and mailbox
certbot certonly --nginx --nginx-server-root /usr/local/nginx/conf -d www.domain.com -d domain.com -m [email protected]
Solutions for errors
1. ImportError: cannot import name UnrewindableBodyError
solution, reinstall urllib3 library:
pip uninstall urllib3
pip install urllib3
2.pkg_resources.DistributionNotFound: The 'urllib3<1.23,>=1.21.1' distribution was not found and is required by requests
解决办法
easy_install urllib3==1.21.1
3.ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.
解决办法
pip install --upgrade --force-reinstall 'requests==2.6.0'
The following is a screenshot of the successful installation of the
default certificate installation path
cd /etc/letsencrypt/live
There are 4 files in total
Three, manually configure nginx ssl
cd /usr/local/nginx/conf
vi nginx.conf
Add configuration, note that the following domain.com is changed to your own domain name, save and exit
server {
listen 80;
server_name domain.com;
# http重定向到https
return 301 https://www.domain.com$request_uri;
}
server {
listen 80;
server_name www.domain.com;
# http重定向到https
return 301 https://$server_name$request_uri;
}
server {
# nginx1.15之后用这个语法,1.15之前用 ssl on
listen 443 ssl;
server_name www.domain.com;
# 这里的证书填刚刚生成的路径
ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
# 这里加载默认的ssl配置
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:8081;
proxy_redirect off;
}
}
nginx hot restart
nginx -s reload
Then open your own web page and you can see it. Note: If you use Alibaba Cloud server, remember to check if the security configuration port 443 is open
View the certificate, valid for 3 months
Fourth, configure the automatic update certificate
Test automatic update, --dry-run logo test, not really perform update
certbot renew --dry-run
An error occurred:
Solution:
vi /usr/lib/python2.7/site-packages/sitecustomize.py
Add the following content to save and exit
import sys
sys.setdefaultencoding('utf-8')
Perform the test update again, the picture below shows the test success! !
After the test update is successful, add a scheduled task to automatically update.
The following is the monthly automatic check update certificate at zero point 1,8,20, which can be successfully updated within 30 days before the official expiration. Can be viewed by cd / etc / letsencrypt / renewal
echo "0 0 1,8,20 * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null
View change log
cd /var/log/letsencrypt
Five, manually update the certificate
certbot renew -v
6. Others
Check the certificate expiration time, this instruction is a bit slow
certbot certificates