certbot官网:https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

一、安装步骤

1)安装certbot,执行 

sudo yum install certbot python2-certbot-nginx

2)检查是否安装成功,执行 

certbot --help
[root@iz2zeb4argxs74khdclp2dz ~]#  certbot --help

Traceback (most recent call last):

  File "/usr/bin/certbot", line , in <module>

    load_entry_point('certbot==0.38.0', 'console_scripts', 'certbot')()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return get_distribution(dist).load_entry_point(group, name)

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load_entry_point

    return ep.load()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in load

    return self.resolve()

  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line , in resolve

    module = __import__(self.module_name, fromlist=['__name__'], level=)

  File "/usr/lib/python2.7/site-packages/certbot/main.py", line , in <module>

    from certbot import account

  File "/usr/lib/python2.7/site-packages/certbot/account.py", line , in <module>

    from acme import messages

  File "/usr/lib/python2.7/site-packages/acme/messages.py", line , in <module>

    from acme import challenges

  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line , in <module>

    import requests

  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line , in <module>

    from . import utils

  File "/usr/lib/python2.7/site-packages/requests/utils.py", line , in <module>

    from .exceptions import InvalidURL

  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line , in <module>

    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError

  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line , in load_module

    raise ImportError("No module named '%s'" % (name,))

ImportError: No module named 'requests.packages.urllib3'

3)解决上面没有requests.packages.urllib3的问题,执行

pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

4)安装证书,执行

sudo certbot --nginx

如:

[root@iz2zeb4argxs74khdclp2dz ~]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

The nginx plugin is not working; there may be problems with your existing configuration.

The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

上面提示信息显示没有找到nginx,那么

需要将nginx放到环境变量中,设置nginx软连接

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

ln -s /usr/local/nginx/conf/ /etc/nginx

再次执行就OK了
sudo certbot --nginx 安装证书
5)然后再一步一步的根据提示进行配置 
如:
[root@iz2zeb4argxs74khdclp2dz sbin]# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): @qq.com   // 1)设置邮箱,用于安全提示

Starting new HTTPS connection (): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: a    // 2)同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: n    // 3)不共享你的邮箱

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: admin.talkilla.jiushiyaokuaile.cn

: consultant.talkilla.jiushiyaokuaile.cn

: student.talkilla.jiushiyaokuaile.cn

: teacher.talkilla.jiushiyaokuaile.cn

: wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):     5  // 4)选择需要激活https的域名

Obtaining a new certificate

Performing the following challenges:

http- challenge for admin.talkilla.jiushiyaokuaile.cn

http- challenge for consultant.talkilla.jiushiyaokuaile.cn

http- challenge for student.talkilla.jiushiyaokuaile.cn

http- challenge for teacher.talkilla.jiushiyaokuaile.cn

http- challenge for wechat.talkilla.jiushiyaokuaile.cn

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/admin-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/student-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Deploying Certificate to VirtualHost /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

: No redirect - Make no further changes to the webserver configuration.

: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [-] then [enter] (press 'c' to cancel): 2  // 5)设置是否将http自动重定向到https,1否2是

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/admin-talkilla-http.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/consultant-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/student-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/teacher-talkilla.conf

Redirecting all traffic on port  to ssl in /usr/local/nginx/conf/conf.d/wechat-talkilla.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled

https://admin.talkilla.jiushiyaokuaile.cn,

https://consultant.talkilla.jiushiyaokuaile.cn,

https://student.talkilla.jiushiyaokuaile.cn,

https://teacher.talkilla.jiushiyaokuaile.cn, and

https://wechat.talkilla.jiushiyaokuaile.cn

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=admin.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=consultant.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=student.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=teacher.talkilla.jiushiyaokuaile.cn

https://www.ssllabs.com/ssltest/analyze.html?d=wechat.talkilla.jiushiyaokuaile.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/admin.talkilla.jiushiyaokuaile.cn/privkey.pem

   Your cert will expire on --. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the "certonly" option. To non-interactively renew *all* of

   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

6) 配置自动更新证书

在证书到期之后更新证书,我们可以通过 certbot renew 命令来更新证书
借助 Crontab 来编写一个定时任务,定期强制更新一个这个证书,然后重启 Nginx: 

Crontab 通过 crontab -e 命令编辑,通过 crontab -l 查看。
这样就完成了 SSL 安全证书更新了。 
使用crontab -e 命令:
   * * certbot renew

   * * service nginx restart

注意:

若执行certbot renew时,出现: 'ascii' codec can't decode byte 0xe8 in position 2: ordinal not in range(128) 错误,参考如下:

解决方案

7)当需要安装新的证书

执行:

 sudo certbot run --nginx

【Nginx】使用certbot安装免费https证书使Nginx支持Https请求的更多相关文章

  1. nginx用Certbot配置免费SSL证书(ngx_http_ssl_module模块)

    一.准备工作 1.先安装nginx https://files.cnblogs.com/files/blogs/676936/nginx-1.18.0.sh #nginx-1.18.0版安装脚本2.在 ...

  2. 使用免费SSL证书让网站支持HTTPS访问

    参考掘金的文章,掘金的文章最详细. https://juejin.im/post/5a31cbf76fb9a0450b6664ee 先检查是否存在 EPEL 源: # 进入目录检查是否存在 EPEL ...

  3. handbook/CentOS/使用免费SSL证书让网站支持HTTPS访问.md

  4. 购买https证书以及nginx配置https

    文章来源 运维公会:购买https证书以及nginx配置https 1.https的作用 https的全名是安全超文本传输协议,是在http的基础上增加了ssl加密协议.在信息传输的过程中,信息有可能 ...

  5. 我的Android进阶之旅------>Android关于HttpsURLConnection一个忽略Https证书是否正确的Https请求工具类

    下面是一个Android HttpsURLConnection忽略Https证书是否正确的Https请求工具类,不需要验证服务器端证书是否正确,也不需要验证服务器证书中的域名是否有效. (PS:建议下 ...

  6. 创建免费的证书,实现网站HTTPS

    使用Certbot来实现HTTPS,这边也就考虑采用Cerbot来实现下 配置Certbot 证书 Certbot 的官方网站是 https://certbot.eff.org/ ,打开官网选择的 w ...

  7. 免费申请 HTTPS 证书,开启全站 HTTPS

    作者:HelloGitHub-追梦人物 文中涉及的示例代码,已同步更新到 HelloGitHub-Team 仓库 HTTP 报文以明文形式传输,如果你的网站只支持 HTTP 协议,那么就有可能遭受到安 ...

  8. 新版startssl 免费SSL证书申请 (实测 笔记 https http2 必要条件)

    简单说明: 目前多个大型网站都实现全站HTTPS,而SSL证书是实现HTTPS的必要条件之一. StartSSL是StartCom公司旗下的.提供免费SSL证书服务并且被主流浏览器支持的免费SSL.包 ...

  9. linux 系统自签免费ssl证书和nginx配置

    首先执行如下命令生成一个key openssl genrsa -des3 -out ssl.key 1024 然后他会要求你输入这个key文件的密码.不推荐输入.因为以后要给nginx使用.每次rel ...

随机推荐

  1. CSP 2019游记 & 退役记

    扶苏让我记录他AK CSP 的事实 ZAY NB!!! "你不配" 两年半的旅行结束了,我背着满满的行囊下了车,望着毫不犹豫远去的列车,我笑着哭了,笑着翻着我的行囊-- 游记 Da ...

  2. Elasticsearch的null values

    很多时候,我们需要面临null值的烦扰,查询es时传入null值是要查询出null的数据还是不查这个field呢,稍有不慎就会引发新的bug,这的确是个问题! null_value 意味着无法索引或搜 ...

  3. 【Gamma】事后分析

    目录 [Gamma]事后分析 设想和目标 计划 资源 变更管理 设计/实现 测试/发布 团队的角色,管理,合作 总结 照片 [Gamma]事后分析 设想和目标 我们的软件要解决什么问题?是否定义得很清 ...

  4. Spring AOP 代理类,BeanNameAutoProxyCreator cglib

    BeanNameAutoProxyCreator支持拦截接口和类,但不支持已经被jdk代理过的类$Proxy8.使用cglib才能代理,如下 <!-- 通过bean的名字来匹配选择要代理的bea ...

  5. 京东联盟开发(6)——推广链接解析SKUID

    1.从推广方案中分析出价格及推广码 $keyword = " [京东]长虹(CHANGHONG) L3 老人手机 移动/联通2G 老年机 双卡双待 咖啡 原价:168.00元 券后价:163 ...

  6. React-native 导航插件React Navigation 4.x的使用

    React-native 导航插件React Navigation 4.x的使用 文档 英文水平可以的话,建议直接阅读英文文档 简单使用介绍 安装插件 yarn add react-navigatio ...

  7. spring&pom两种获取profile的方式

    一.原理: 1.实现ApplicationContextAware(当一个类实现了ApplicationContextAware这个接口之后,这个类就可以通过setApplicationContext ...

  8. 2019 C/C++《阿里》面试题总结

    一.C和C++的区别是什么? C是面向过程的语言,C++是在C语言的基础上开发的一种面向对象编程语言,应用广泛. C中函数不能进行重载,C++函数可以重载 C++在C的基础上增添类,C是一个结构化语言 ...

  9. @Valid参数验证 BindingResult result 的使用

    1.首先导入依赖包bean-validator.jar2.在实体类上面写一些相关的验证信息:可以搜索更多的一些验证方式,这只是一部分 可以参考:点击打开链接http://blog.csdn.net/c ...

  10. 啊哈!算法(第二章)C#实现

    第 1 节 解密 QQ 号——队列   新学期开始了,小哈是小哼的新同桌(小哈是个小美女哦~),小哼向小哈询问 QQ 号,小哈当然不会直接告诉小哼啦,原因嘛你懂的. 所以小哈给了小哼一串加密过的数字, ...