跳转至

02-nginx-ssl

前期准备

  • 系统: centos7
  • SSL证书:certbot

安装

安装certbot 和 nginx 软件 

yum install -y certbot  python3-certbot-nginx certbox-nginx nginx

生成证书

首先我们certbot支持多种模式生成证书, 我们这里用跟nginx搭配的方式生成证书

nginx 配置

需要先把nginx代理域名的 80端口配置正确,我们先以xxx.domain.com域名作为例子

server {
  listen 80
  server_name xxx.domain.com;
  access_log         /data/nginx/logs/access.log;
  client_header_timeout 1200s;
  client_body_timeout 1200s;
  client_max_body_size 500m;

  location / {
    proxy_set_header Host $server_name;   
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_pass http://127.0.0.1:40033;

  }
}
测试下nginx配置 
[root@bdser ~]# nginx -c /etc/nginx/nginx.conf -t 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

certbot生成证书

certbot --nginx -d xxx.domain.com  #会自动识别nginx配置位置,帮你配置好nginx ssl
certbot certonly --nginx -d xxx.domain.com  #只会生成ssl证书,后面自己配置到nginx中
我们这里用第一种方式,自动帮忙配置,生成的配置看下,前提nginx配置通过测试是ok的 
server {
  listen 443 ssl;
  server_name xxx.domain.com;
  access_log         /data/nginx/logs/domain-access.log;
  ssl_certificate /etc/letsencrypt/live/xxx.domain.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/xxx.domain.com/privkey.pem; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  client_header_timeout 1200s;
  client_body_timeout 1200s;
  client_max_body_size 500m;

  location / {
    proxy_set_header Host $server_name;   
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_pass http://127.0.0.1:40033;

  }

}
server {
    if ($host = xxx.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  server_name xxx.domain.com;
  return 404; # managed by Certbot

}
在测试下nginx配置 
[root@bdser ~]# nginx -c /etc/nginx/nginx.conf -t 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

证书续签测试

#测试证书续签是否正常,如果正常执行,后面可以把正式续签命令加入定时任务
certbot renew --dry-run

定时任务执行

上面测试如果没有问题,通过定时任务,每个月定时续签证书,可能在生成的时候,nginx会卡一下 

#每个月的第一天进行续签,--quiet:代表静默模式,不输出终端信息
0 0 1 * * /usr/bin/certbot renew --quiet