3

因为是在segmentfault网站上看到letsencrypt有提供免费的ssl证书,因为决定在CentOS上安装试用一下。

安装过程很简单,按照教程一步步来就能搞定:

$ git clone https://github.com/certbot/certbot
$ cd certbot
$ ./certbot-auto --help

但是教程的下一步就有问题了,安装完之后的目录下并没有certbot这个可执行文件,而只有certbot-auto,但其实它们两个是一回事,直接用就可以。

当我执行./certbot-auto时,出现了以下错误:

Error:  Multilib version problems found. This often means that the root
       cause is something else and multilib version checking is just
       pointing out that there is a problem. Eg.:

         1. You have an upgrade for openssl which is missing some
            dependency that another package requires. Yum is trying to
            solve this by installing an older version of openssl of the
            different architecture. If you exclude the bad architecture
            yum will tell you what the root cause is (which package
            requires what). You can try redoing the upgrade with
            --exclude openssl.otherarch ... this should give you an error
            message showing the root cause of the problem.

         2. You have multiple architectures of openssl installed, but
            yum can only see an upgrade for one of those arcitectures.
            If you don't want/need both architectures anymore then you
            can remove the one with the missing update and everything
            will work.

         3. You have duplicate versions of openssl installed already.
            You can use "yum check" to get yum show these errors.

感觉上好像是openssl版本不匹配,于是执行

yum update openssl

然后再次执行./certbot-auto,这次就没问题了。

先退出界面,然后执行

./certbot-auto --help

这次发现多了一些内容。然后执行:

./certbot-auto certonly --standalone -d www.myserver.com

因为是standalone,它试图在80端口上启动一个服务器,但是因为80端口已经被nginx占用,所以执行不成功,需要暂时停用一下nginx。因为我不想中断服务,所以我手动把nginx停用,把以前备用的一个apache启动起来,占住80端口以提供服务。这样我就不再需要standalone参数,而可以使用apache参数了,如下:

./certbot-auto certonly --apache -d www.myserver.com

但又出现了错误,它在443的虚拟主机上找不到我的服务器,原来我只在80端口上配置了虚拟主机,于是在Apache的conf文件上胡乱配上一个虚拟主机,以便使用443端口。但还是连接不通。报如下错误:

 - The following errors were reported by the server:

   Domain: www.myserver.com
   Type:   connection
   Detail: Failed to connect to host for DVSNI challenge

仔细一想,原来是我在防火墙上把443端口禁用了,打开443端口后,终于成功!

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.myserver.com/fullchain.pem. Your
   cert will expire on 2016-08-15. To obtain a new version of the
   certificate in the future, simply run Certbot again.

接下来,你会在上述目录下看到4个文件:
cert.pem@ chain.pem@ fullchain.pem@ privkey.pem@

这4个文件里,我们在nginx配置中只会用到后2个,因为fullchain.pem就相当于cert.pem+chain.pem。

nginx的配置如下:

server {
    listen       443;
    server_name  www.myserver.com;
    root   /var/www/html;

    ssl                  on;
    ssl_certificate      /etc/letsencrypt/live/www.myserver.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/www.myserver.com/privkey.pem;

    location / {
        index  index.php index.html index.htm;
    }

    location ~ /\. {
        return 403;
    }

    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

最后还要记得配置80端口,这样它才会强行把所有指向80端口的http链接转变为https请求:

server {
    listen      80;
    server_name www.myserver.com;
    return 301 https://www.myserver.com$request_uri;
}

到止为止,重启nginx,终于可以在浏览器端看见那个漂亮的绿色小锁头了!


2016年6月9日补充:

其实在nginx下配置letsencrypt远没有那么麻烦,首先需要在ini文件中的server块中添加如下设置:

location ~ /.well-known {
    allow all;
}

主要目的是因为letsencrypt在验证时需要往这个文件夹下写文件验证,但其实你自己不必创建这个文件夹。

然后你再执行如下语句:

./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d www.example.com

其余步骤同上。


更便捷的方法,请参考https://segmentfault.com/a/11...


张京
13.4k 声望4.7k 粉丝

现任北京联云天下科技有限公司技术副总裁。1994年毕业于清华大学计算机科学与技术专业;20多年软件开发及项目管理经验;历任亚洲生活网络公司CTO,摩托罗拉软件中心QSE工具经理,融信恒通技术总监,安必信软件公...