Certbot Configure legitimate signing certificate on CENTOS7 to implement Nginx HTTPS access

Kaya cat-Li Changming notes

Company due to the use of openssh created by the self-signed certificate, there is a disadvantage, is that some clients can not use this certificate, can not use HTTPS connection, so, studied the Certbot do signing certificate!

Certbot's official address:

https://certbot.eff.org/

1, preparation of the certificate before:

You need to have a public address and bind the legal domain

2. Start production:

(1), Download Certbot client:

wget Https://dl.eff.org/certbot-auto

(2), after downloading, go to the downloaded directory, add execute permission

chmod a+x./certbot-auto

3, introduce two ways to work Certbot:

(1), standalone mode: Certbot will run a Web server to authenticate itself. If there is already a Web server running on our own server (like Nginx or Apache), you need to turn it off in standalone mode to avoid conflicts.

(2), Webroot Way: Certbot will use the existing Web server, in its Web root directory to create hidden files, let's Encrypt server will access these hidden files through the domain name to confirm that you do have the corresponding domain name control.

4, I use is the webroot way, oneself constructs an nginx server, configures the Location field, as follows:

(1), using RPM installation Nginx

sudo yum-y install Nginx

(2), edit nginx configuration file, modify the following parameters:

In the HTTP segment scope

(3), after modifying the Nginx configuration file, use the NGINX-T command, test the configuration file syntax:

sudo nginx-t #返回OK indicates a successful configuration file modification

(4), start the Nginx service

sudo nginxnetstat-anplut | grep #检测80端口, are you listening

(5), using the Certbot-auto command, generate a certificate

./certbot-auto certonly--webroot-w/usr/share/nginx/html/-D [Fill in the address of the legal domain]#-w represents the path to the root directory specified in Nginx

(6) After successful execution of the above command, the following interface is returned:

As you can see, the folder for your domain name will be generated under/etc/letsencrypt/live, and this file will be available under the directory:

[[email protected] ~]$ tree /etc/letsencrypt//etc/letsencrypt/├── accounts│??]  └── acme-v01.api.letsencrypt.org [error opening dir]├── archive [error  opening dir]├── csr│??  └── 0000_csr-certbot.pem├── keys [error opening dir]├── live│??  └── kafeimao.com  (alias, end, see own domain name) │??      ├── cert.pem -> ../../archive/kafeimao.com/cert1.pem│??      ├── chain.pem -> ../../archive/kafeimao.com/chain1.pem│??      ├── fullchain.pem -> ../../archive/kafeimao.com/fullchain1.pem│??      ├── privkey.pem -> ../../archive/kafeimao.com/privkey1.pem│??      └── README├── options-ssl-apache.conf├──  Options-ssl-nginx.conf├── renewal│??  └── kafeimao.com.conf├── renewal-Hooks│??  ├── deploy│??  ├── post│??  └── pre└── ssl-dhparams.pem12 directories, 10 files

Nginx HTTPS access, need to use the above two PEM certificate file:

5, test configuration Nginx Support HTTPS access, test the HTTPS certificate is available:

server {        listen        443 ssl http2 default_server;        listen        [::]:443 ssl http2 default_server;         server_name  kafeimao.com;        ssl            on;         ssl_certificate  "/etc/letsencrypt/live/kafeimao.com/fullchain.pem";         ssl_certificate_key  "/etc/letsencrypt/live/kafeimao.com/privkey.pem";#         ssl_session_cache shared:SSL:1m;#         ssl_session_timeout  10m;#        ssl_ ciphers high:!anull:! Md5;#&nBsp;       ssl_prefer_server_ciphers on;# load configuration  files for the default server block.         include /etc/nginx/default.d/*.conf;        location /  {                root   /usr/share/nginx/html/kafeimao.com;                 index  index.html;         }        error_page 404 /404.html;             location = /40x.html {         }        error_page 500 502  503 504 /50x. html;            location = /50x.html  {        }    }  }

6, heavy-duty Nginx service;

sudo nginx-s reload

7. Access the domain name and test the HTTPS connection:

8, found that the certificate is available, it is worth congratulating, you have succeeded! Very simple

Summarize:

Certbot default registered certificate, valid for 90 days, need to update certificate

To update with a command:

(1), Manual update

./certbot-auto Renew-v

(2), Automatic Update

./certbot-auto Renew--quiet--no-self-upgrade

When registering a certificate, if you encounter this error:

This error, with the command to use the Webroot method, (the official website also recommended this way) so, nginx to configure the correct location field, is the configuration in the server;

This article only makes a note, there is nothing esoteric, the Garfield Cat has been moving forward;

Certbot Configure legitimate signing certificate on CENTOS7 to implement Nginx HTTPS access