【SSL】CentOS7.x cerbot 安装使用
2023-09-28 本文已影响0人
Bogon
一 、 CentOS7.x 上 安装cerbot
# yum -y install epel-release
# yum -y install certbot
# pip uninstall urllib3
# easy_install urllib3==1.21.1
# pip install urllib3
# pip install --upgrade --force-reinstall 'requests==2.6.0'
一个提供免费HTTPS证书申请的网站:https://freessl.cn 需要注册个账号。
二、 验证方式(任选)
DNS 验证
DNS 验证,需要你到你的域名托管服务商那里添加一条CNAME解析记录。
image.png
可通过此网址检测是否配置正确https://dnschecker.org
image.png
注意,配置无误后需要等待30分钟后去控制台订单列表查看颁发证书即可。
FILE 验证
文件验证,需要你将文件上传至你的web服务器的指定路径。
请保证第二行的文件路径能够访问,以免耽误证书的签发。
image.png
// 将fileauth.txt 放到 /etc/nginx/html
$ mkdir -p /etc/nginx/html/.well-known/pki-validation/
$ cp fileauth.txt /etc/nginx/html/.well-known/pki-validation/
https://www.example.com/.well-known/pki-validation/fileauth.txt
http://www.example.com/.well-known/pki-validation/fileauth.txt
注意访问的三个值需要有空格分开,或者分成三行。
三、 生成证书
// certbot 生成证书
certbot certonly --manual -d www.example.com --server https://acme.freessl.cn/v2/DV90/directory/m4miip6nkxxxbadnuxb5
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): 123456789@qq.com
Starting new HTTPS connection (1): acme.freessl.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://secure.trust-provider.com/repository/docs/Legacy/20201020_Certificate_Subscriber_Agreement_v_2_4_click.pdf.
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for www.example.com
Subscribe to the EFF mailing list (email: 123456789@qq.com).
Starting new HTTPS connection (1): supporters.eff.org
An unexpected error occurred:
TypeError: __str__ returned non-string (type Error)
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.example.com/privkey.pem
Your certificate will expire on 2023-12-27. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# ll /etc/letsencrypt/live/www.example.com/
total 4
lrwxrwxrwx 1 root root 51 Sep 28 14:13 cert.pem -> ../../archive/www.example.com/cert1.pem
lrwxrwxrwx 1 root root 52 Sep 28 14:13 chain.pem -> ../../archive/www.example.com/chain1.pem
lrwxrwxrwx 1 root root 56 Sep 28 14:13 fullchain.pem -> ../../archive/www.example.com/fullchain1.pem
lrwxrwxrwx 1 root root 54 Sep 28 14:13 privkey.pem -> ../../archive/www.example.com/privkey1.pem
-rw-r--r-- 1 root root 692 Sep 28 14:13 README
image.png
image.png
# cat /etc/letsencrypt/live/README
This directory contains your keys and certificates.
`[cert name]/privkey.pem` : the private key for your certificate.
`[cert name]/fullchain.pem`: the certificate file used in most server software.
`[cert name]/chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`[cert name]/cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
四、 参考
FreeSSL.cn,一个提供免费HTTPS证书申请的网站
https://freessl.cn
FreeSSL 免费证书申请的相关说明
https://blog.freessl.cn/about-freessl-org-apply-cert-introduce
nginx中安装免费SSL证书开启https请求
https://blog.csdn.net/qq_40065776/article/details/116047489
