月度归档： 2019 年 5 月

一、修改配置文件

/etc/apache2/sites-available/default-ssl.conf

1、添加证书信息

      SSLEngine on

      #   A self-signed (snakeoil) certificate can be created by installing

      #   the ssl-cert package. See

      #   /usr/share/doc/apache2/README.Debian.gz for more info.

      #   If both key and certificate are stored in the same file, only the

      #   SSLCertificateFile directive is needed.

  #     SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem

  #     SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

  SSLCertificateFile      /etc/letsencrypt/live/yourdomain.com/fullchain.pem

  SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem

二、运行命令a2enmod  ssl 开启SSL模块很重要 /关闭a2dismod ssl

三、运行命令a2ensite default-ssl.conf启用ssl站点很重要

四、重启Apache2或者 service apache2 reload

五、apachectl configtest   # 检查apache配置是否正确

一、修改nginx配置

vi /etc/nginx/sites-available/default

server{

       listen 443 ssl;  #ssl不能少，否则报错

       server_name yourdomain.com;

        ssl_certificate /etc/letsencrypt/live/ yourdomain.com /fullchain.pem;

        ssl_certificate_key /etc/letsencrypt/live/ yourdomain.com/privkey.pem;

        ssl_session_timeout 5m;

        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers “HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES”;

        ssl_prefer_server_ciphers on;

       location / {

          proxy_pass   https://127.0.0.1:4430;

       }

}

或者

server{

       listen 80;

           server_name  127.0.0.1 localhost  yourdomain.com ;

        #  rewrite ^(.*)$  https://$host$1 permanent;

       location / {

          proxy_pass   https://127.0.0.1:4430;

       }

}

二、注意

# wordpress 一直以为配置失败，其实是wordpress没有修改路径为https

三、刷新 systemctl reload nginx使配置生效

1、安装

官方安装方式

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-nginx

2、生成证书

$ sudo certbot –nginx

注意：执行命令后按照提示输入参数，直接下一步，最后会有重要提示，包含证书存放位置，需要记住，用于配置nginx、apache、tomcat等

IMPORTANT NOTES:

 – Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/123.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/ 123.com /privkey.pem

   Your cert will expire on 2019-08-08. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the “certonly” option. To non-interactively renew *all* of

   your certificates, run “certbot renew”

 – If you like Certbot, please consider supporting our work by:

3、自动更新

最后一步，就是证书的自动续期了。Let’s Encrypt的证书，默认的有效期是90天，不过官方推荐每60天续期。到期之后，我们需要用命令来为证书续期，不过我们是懒人，这种体力活还是交给机器来完成比较合适。所以，我们可以用Linux的cron job来完成这类的任务，配置cron job，每两个月的第一天，执行下面的命令：
vi /etc/crontab

0 0 1 */2 * certbot renew –post-hook  “systemctl reload nginx ” –post-hook “systemctl reload apache2” 

注意在cron job里面需要用绝对路径

4、nginx配置参考 「Nginx 反向代理https配置」