鉴于小程序的外接API服务器必须基于https协议, 这两天摸索着先拿团队博客来配置。
目前一切OK,在此梳理梳理下基本流程。
wget https://dl.eff.org/certbot-auto // 获取certbot-auto 客户端
git clone git@github.com:certbot/certbot.git // 通过github 获取客户端
sudo chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/ // 移动到这个目录方便全局调用 sudo certbot-auto [options]
然后 执行下
sudo certbot-auto // 安装各种依赖和配置
如果ok,能弹出一个 图形界面 即表示没有问题,继续下一步
配置 nginx
cd /etc/nginx/sites-enabled/ // 进入nginx 配置目录
sudo rm 原配置文件名字 // 将原配置文件删掉
sudo vim 新配置文件名 // 创建并编辑新的配置文件
将下列代码黏贴进去,请自行替换 blog.newteo.com为你的网站域名和项目目录(我绑定的域名和项目目录同名)
server {
listen 443 ssl;
server_name blog.newteo.com;
server_tokens off;
root /home/joephon/team-blog-repo;
# ssl_certificate /etc/letsencrypt/live/blog.newteo.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/blog.newteo.com/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/blog.newteo.com/chain.pem;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:whatever-SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 valid=300s;
resolver_timeout 10s;
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
return 444;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/nginx/html;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://127.0.0.1:5000;
}
}
server {
server_name blog.newteo.com;
server_tokens off;
access_log /dev/null;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# location / {
# rewrite ^/(.*)$ https://blog.newteo.com/$1 permanent;
# }
}
重启下nginx
sudo nginx -s reload
执行证书签名
sudo certbot-auto certonly --webroot -w /usr/share/nginx/html -d 网站域名
如果出现下面这段字,那说明成功了
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/wechat.joephon.com/fullchain.pem. Your cert
will expire on 2017-02-15. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
修改下刚刚配置的 nginx 文件
sudo vim 配置文件名
将下面三行前面的注释 ‘#’ 去掉
server {
...
# ssl_certificate /etc/letsencrypt/live/blog.newteo.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/blog.newteo.com/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/blog.newteo.com/chain.pem;
...
# location / {
# rewrite ^/(.*)$ https://blog.newteo.com/$1 permanent;
# }
...
}
修改后应该是这样
server {
...
ssl_certificate /etc/letsencrypt/live/blog.newteo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.newteo.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/blog.newteo.com/chain.pem;
...
location / {
rewrite ^/(.*)$ https://blog.newteo.com/$1 permanent;
}
...
}
再次重启下nginx
sudo nginx -s reload
重新访问下配置好的域名 如果自动跳转https 则万事大吉了
这个证书只有90天的有效期,所以到期时还需要手动续签
sudo certbot renew --agree-tos --dry-run // --agree-tos 表示同意默认 --dry-run 表示模拟 真实续签去掉 --dry-run 即可
自动续签
sudo crontab -e
然后填写下面内容(ubuntu 14.X)
0 3 * * 1 /usr/local/bin/certbot-auto renew --agree-tos >> /var/log/le-renew.log
0 0 * * 2 nginx -s reload
ubuntu 16.x
0 3 * * 1 /usr/bin/letsencrypt renew --agree-tos >> /var/log/le-renew.log
0 0 * * 2 nginx -s reload
想知道为什么,可以去看老鱼儿的博客,点这里有各种说明
下面罗列下 应该注意的地方
sudo certbot-auto certonly --webroot -w /usr/share/nginx/html -d 网站域名
这条命令 可以参考下老鱼儿的博客
server {
...
ssl_session_cache shared:whatever-SSL:50m;
...
}
多站点 必须要 shared:whatever-SSL:50m; (缘由是不可同名)
如果是ubuntu 14.x 则应该没有问题 如果是16.x 则可能会出现github #2883号issue的问题
可以在命令行敲
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
解决问题
但如果是ubuntu 16.x 最好直接
sudo apt update
sudo apt install letsencrypt
上述流程本人只是跑通,并重复配置了多个,显然是ok的,但至于为什么要这样~有待后续探索挖掘