CentOS下免费开启https

参考博客：

https://segmentfault.com/a/1190000017436129

https://segmentfault.com/a/1190000017008338

https://blog.csdn.net/u012486840/article/details/52610320

 PS：免费签名平台Let's Encrypt，其他系统或其他服务类型可前往Certbot查看相应部署方法。

 

 1、安装nginx

添加nginx到yum源

sudo rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

安装nginx

sudo yum install -y nginx

2、自动配置https

运行以下代码来开启选项通道（optional channel）：

$ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-> server-optional

开启选项通道后运行下面代码安装Certbot：

$ sudo yum install python2-certbot-nginx

 给Certbot安装Nginx插件：

$ sudo certbot --nginx

 运行上面命令会自动为你获取证书，并且Certbot会自动配置你的Nginx以提供服务。如果你想要手动修改Nginx配置可以使用certonly子命令：

$ sudo certbot --nginx certonly

 执行自动配置命令后命令行输出下文：

# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 123@qq.com

提示你输入接收紧急更新和安全提示的邮箱，

输入邮箱键入回车进入下一步（输入'c'并回车放弃设置该邮箱）。

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

要求阅读协议，输入A同意该协议并继续。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n

询问邮箱是否接受广告，输入N拒绝并继续。

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): hahahha.com

输入你的域名（例如：example.me）并继续。

 

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zhuxiaofang.com
Using default address 80 for authentication.
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Could not automatically find a matching server block for hahahaha.com. Set the `server_name` directive to use the Nginx installer.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hahahaha.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hahahaha.com/privkey.pem
   Your cert will expire on 2019-07-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

这里出现了一个错误，大致意思是：证书已成功申请保存了，但是找不到我的域名对应的服务器模块，需要我去nginx中配置server_name。

编辑nginx的配置文件/etc/nginx/conf.d/default.conf

vim default.conf

server {
    listen       80;
    server_name  localhost;
    server_name  hahaha.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
"default.conf" 46L, 1127C written            

尝试重新配置

sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hahaha.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

在nginx中配置完域名后，这里选择我们刚配置的域名。

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/zhuxiaofang.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

1表示重新安装之前申请的证书，2表示重新申请，一周限制5次

Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/conf.d/default.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

选择是否将http请求重定向至https，输入1不改变当前服务器配置（不重定向），输入2将自动配置所有http请求的重定向。

既然我们要开启https服务就输入2并继续。

 

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/default.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://zhuxiaofang.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=zhuxiaofang.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zhuxiaofang.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zhuxiaofang.com/privkey.pem
   Your cert will expire on 2019-07-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置成功，将域名换上https请求