that's how Linux should learn 2018-05-11 .
Lab Environment: CentOS Linux release 7.3.1611 (Core)
Kernel version: Linux version 3.10.0-514.el7.x86_64
Nginx version: Nginx-1.13.0
Let's encrypt is a free, automated, open certification authority. Sponsored by many companies and organizations such as Mozilla, Cisco, Chrome, Facebook, and Akamai, the security is stable and reliable. Specific information can go to Letsencrypt official website for more details.
Today we take full advantage of lets encrypt let your website implement HTTPS encryption.
Official website: https://letsencrypt.org/
1. Installing Certbot and Source expansion packs
install -y epel-release
Certbot is the recommended client for let's encrypt official designation. With Certbot, you can automate the deployment of Let's Encrypt SSL certificates to add HTTPS encryption support to your website.
$ yumInstall Certbot
$ Certbot certonly
Saving DebugLogTo/var/Log/letsencrypt/letsencrypt.log
How wouldLikeTo authenticateWith the ACME CA?
How do you want to authenticate with the Acme CA?
-------------------------------------------------------------------------------
1:place filesIn WebrootDirectory (Webroot)
Place the file in the Webroot directory
2:spin up aTemporary webserver (Standalone
Use a temporary Web server (stand-alone directory)
-------------------------------------------------------------------------------
Select the appropriateNumber [1-2]Then [Enter] (pressCToCancel):1 "Choice1 return Car "
Enter Email address (usedFor urgent renewalandSecurity notices) (EnterCTo
Cancel): [Email protected] "Enter your email address for emergency updates and security notifications"
StartingNew HTTPSConnection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
PleaseRead the Termsof ServiceAt
Https://letsencrypt.org/documents/LE-SA-v1.1.1-august-1-2016.pdf. You must agree
InchOrderToRegisterWith the ACMEServerAt
https://acme-v01.api.letsencrypt.org/Directory
-------------------------------------------------------------------------------
(a) gree/(c) ancel:a "Select a enter to agree to the terms of service, C for refusal"
-------------------------------------------------------------------------------
Would you are willingToShare your email addressWith the Electronic Frontier
Foundation, a founding partnerof the Let' s Encrypt Project and the non-profit
Organization that develops Certbot? We ' dLikeTo send your email about EFFand
OurWorkToEncrypt the web, protect itsUsersand defend digital rights.
-------------------------------------------------------------------------------
(y) es/(N) o:y "If you would like to share your e-mail address, it is recommended to select Y Enter"
Please enterIn yourDomainName (s) (commaand/OrSpace separated) (EnterC
ToCancel): blog.renwole.com "Enter the domain name return"
Obtaining aNew Certificate
Performing theFollowing challenges:
http-01 ChallengeFor blog.renwole.com
Select the WebrootFor blog.renwole.com:
-------------------------------------------------------------------------------
1:enter ANew Webroot
Enter the site absolute path
-------------------------------------------------------------------------------
Press1 [Enter]ToConfirm the selection (pressCToCancel):1 "SELECT number1 return Car "
Input the WebrootFor blog.renwole.com: (EnterCToCancel):/home/www/blog.renwole.com "Enter the absolute path of the website to return"
WaitingFor verification ...
WaitingFor verification ...
Cleaning up challenges
GeneratingKey ( 2048 bits):/etc/letsencrypt/ keys/ 0001_key-certbot.pem
Creating CSR:/etc/letsencrypt/csr/ 0001_csr-certbot.pem
IMPORTANT NOTES:
-congratulations! Your Certificate and chain has been saved at
/etc/letsencrypt/live/blog.renwole.com/ Fullchain.pem. Your cert
would expire on : -08 -09. to obtain a new or tweaked version of
This certificate on the future, simply run CE Rtbot again. to
non-interactively renew *all* of your certificates, run "Certbot
Renew"
- If You Span>like Certbot, please consider supporting my work by:
Donating to Isrg/let ' s encry Pt:https://letsencrypt.org/donate
Donating to EFF:
Congratulations! Your SSL certificate and key link has been saved and your certificate will expire in 2017-08-09.
Note: You need to make sure that the Nginx 443 port is in a running state before generating the certificate, otherwise it will fail to generate a certificate.
2. Auto-Renewal
Certbot can be configured to automatically update certificates before the certificate expires. Because let's Encrypt SSL certificate is valid for 90 days, we recommend that you take advantage of this feature. You can test the automatic renewal of a certificate by running the following command:
$ sudo certbot --nginx certonly
If the above works correctly, you can schedule automatic updates by adding cron or systemd Scheduled tasks that run the following actions:
certbot renew
We write an auto-execute script that is recommended to be executed hourly:
$ sudo crontab -e
Add the following content:
0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx
Save and Exit!
To see if the add succeeds through the command:
$ crontab -l
0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx
Restart Crontab
$ systemctl status crond.service
$ systemctl restart crond.service
Observe whether crontab is executed by command:
$ tail -f /var/log/cron
If the certificate is renewed successfully, you can manage viewing the certificate information by using the following command:
$ certbot certificates
See the official documentation for more Certbot commands https://certbot.eff.org/docs/
3. Configure nginx.conf
Next, modify the Nginx configuration file, modify the sever segment, remove the corresponding comment, fill out the generated SSL certificate after ssl_certificate, fill in the generated key to Ssl_certificate_key, save and restart the Nginx server.
# vi /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/blog.renwole.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.renwole.com/privkey.pem;
# ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
}
Using Google Chrome access https://blog.renwole.com/can see the green Security Small lock icon, indicating that the site has been HTTPS encryption success.
Nginx Configuration free HTTPS encryption certificate