如何在CentOS 8上使用Lets Encrypt配置Nginx
时间:2020-01-09 10:37:46 来源:igfitidea点击:
如何使用CentOS 8服务器上的Lets Encrypt免费SSL证书保护Nginx Web服务器?
如何在CentOS 8上使用Lets Encrypt设置和配置Nginx?
Lets Encrypt是网站,电子邮件服务器等的免费,自动和开放的证书颁发机构。
本教程将学习如何使用Lets Encrypt为Nginx Web服务器安装证书在CentOS 8上获得SSL Labs A +分数。
如何在CentOS 8上使用Lets Encrypt保护Nginx
获取SSL证书的过程如下:
- 获取acme.sh软件:
git clone https://github.com/Neilpang/acme.sh.git - 为您的域创建nginx配置:
vi/etc/nginx/conf.d/your-domain-name.conf - 在您的域中获取SSL证书:
acme.sh --issue -d your-domain name --nginx - 在Nginx上配置TLS/SSL:
vi/etc/nginx/conf.d/your-domain-name.conf - 设置cron作业以进行自动续订
- 在CentOS 8上使用Firwalld打开端口443(HTTPS):
sudo firewall-cmd --add-service = https
让我们看看如何安装acme.sh客户端并在CentOS 8上使用它来从Lets Encrypt获得SSL证书。
步骤1安装所需的软件
使用yum命令安装git,wget,curl和bc软件包:
sudo yum install git bc wget curl socat
步骤2安装acme.sh让加密客户端
克隆仓库:
cd /tmp/ git clone https://github.com/Neilpang/acme.sh.git
在系统上安装acme.sh客户端,运行:
cd acme.sh/ sudo -i ## be root user ## ./acme.sh --install
安装后,必须关闭当前终端,然后再次重新打开以使别名生效。
或只需键入以下源命令:
sudo source ~/.bashrc
通过打印版本号验证安装:
acme.sh --version
步骤3 HTTP服务器的基本Nginx配置
我将为名为c8nginx.theitroad.local的域创建一个新配置(可以用您的实际域名随意替换c8nginx.theitroad.local),如下所示:
# vi /etc/nginx/conf.d/c8nginx.theitroad.local.conf
附加以下代码:
# http port 80
server {
listen 80;
server_name c8nginx.theitroad.local;
access_log /var/log/nginx/http_c8nginx.theitroad.local_access.log;
error_log /var/log/nginx/http_c8nginx.theitroad.local_error.log;
root /usr/share/nginx/html;
}
保存并关闭文件。
测试nginx的设置并重新加载nginx服务器,如下所示:
# nginx -t # systemctl restart nginx.service
步骤4建立dhparams.pem档案
运行openssl命令,但使用mkdir命令创建一个新目录:
# mkdir -pv /etc/nginx/ssl/theitroad.local/ # cd /etc/nginx/ssl/theitroad.local/ # openssl dhparam -out dhparams.pem -dsaparam 4096
有关更多信息,请参见如何加快Linux上随机数生成的OpenSSL/GnuPG熵。
步骤5获得域证书
为您的域颁发证书:
sudo acme.sh --issue -d c8nginx.theitroad.local -k 2048 --nginx ## for two domains ## sudo acme.sh --issue -d c8nginx.theitroad.local -d www.theitroad.local -k 2048 --nginx ## get certs for three domains ## sudo acme.sh --issue -d theitroad.local -d c8nginx.theitroad.local -d www.theitroad.local -k 2048 --nginx ## let us get cert for c8nginx.theitroad.local domain only ## sudo acme.sh --issue -d c8nginx.theitroad.local -k 4096 --nginx
步骤6配置Nginx
您刚刚成功地从Lets Encrypt请求了CentOS 8 Linux服务器的SSL证书。
现在是配置它的时候了。
ssl配置的更新如下:
$ sudo vi /etc/nginx/conf.d/c8nginx.theitroad.local.conf
附加以下配置:
## http port 80: START http://c8nginx.theitroad.local/ config ##
server {
listen 80;
listen [::]:80;
access_log /var/log/nginx/http_c8nginx.theitroad.local_access.log;
error_log /var/log/nginx/http_c8nginx.theitroad.local_error.log;
server_name c8nginx.theitroad.local;
root /usr/share/nginx/html;
#
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
#
return 301 https://$host$request_uri;
}
## https port 443: START https://c8nginx.theitroad.local/ config ##
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name c8nginx.theitroad.local;
root /usr/share/nginx/html;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/ssl/theitroad.local/c8nginx.theitroad.local.cer;
ssl_certificate_key /etc/nginx/ssl/theitroad.local/c8nginx.theitroad.local.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/theitroad.local/dhparams.pem;
#
# Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9 and above
#
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# replace with the IP address of your resolver
resolver 8.8.8.8;
## add other config below such as fastcgi or php and so on ##
}
在vi/vim文本编辑器中保存并关闭文件。
步骤7安装证书
将颁发的证书安装到nginx服务器:
# acme.sh --installcert -d c8nginx.theitroad.local \ --key-file /etc/nginx/ssl/theitroad.local/c8nginx.theitroad.local.key \ --fullchain-file /etc/nginx/ssl/theitroad.local/c8nginx.theitroad.local.cer \ --reloadcmd 'systemctl reload nginx.service'
确保使用ss命令或netstat命令打开端口os:
# ss -tulpn
步骤7防火墙配置
您需要在服务器上打开端口443(HTTPS),以便客户端可以使用Firewalld连接它。
如下更新规则:
$ sudo firewall-cmd --add-service=https $ sudo firewall-cmd --runtime-to-permanent
步骤8进行测试
触发网络浏览器并输入您的域,例如:
https://c8nginx.theitroad.local
使用SSLlabs测试站点进行测试:
https://www.ssllabs.com/ssltest/analyze.html?d=c8nginx.theitroad.local
步骤9 acme.sh命令
列出所有证书:
# acme.sh --list
输出示例:
Main_Domain KeyLength SAN_Domains Created Renew c8nginx.theitroad.local "4096" no Mon Dec 30 16:57:10 UTC 2019 Fri Feb 28 16:57:10 UTC 2020
为名为c8nginx.theitroad.local的域续订证书:
# acme.sh --renew -d c8nginx.theitroad.local
请注意,Cron作业也会尝试为您续订证书。
默认情况下按如下方式安装(您无需采取任何措施)。
要查看作业运行:
# crontab -l
输出示例:
8 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
升级acme.sh客户端:
# acme.sh --upgrade
获得帮助:
# acme.sh --help | more
