(1). 概述

以前申请证书,都是由运维去处理,最近有一些运维的工作要处理,所以,就想自己尝试下申请免费SSL证书,并记录下来.
“参考地址”

(2). 操作步骤

(3). 安装nginx

因为我是纯临时性的测试,所以是在root用户下操作.

# 1. 安装nginx
[root@erp ~]# yum -y install nginx

# 2. 启动nginx
[root@erp ~]# nginx

# 3. 查看机器启动了哪些端口
[root@erp ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1367/nginx: master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      945/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      969/master
tcp6       0      0 :::80                   :::*                    LISTEN      1367/nginx: master
tcp6       0      0 ::1:25                  :::*                    LISTEN      969/master

# 4. 设置开机启动
[root@erp ~]# systemctl enable nginx.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.


# 5. nginx应用程序目录
[root@erp ~]# ll /etc/nginx/ |grep conf
drwxr-xr-x 2 root root 4096 Jun  2 08:24 conf.d
-rw-r--r-- 1 root root 2336 Jun  2 08:23 nginx.conf


# 6. 配置server(test.lixin.help.conf) 
[root@erp ~]# cat /etc/nginx/conf.d/test.lixin.help.conf
server {
    listen       80 443 [::]:443  ssl;
    server_name  test.lixin.help;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

(4). Certbot申请证书

# ********************************************snapd安装*****************************************************
# 1. 安装yum源
[root@erp ~]# yum -y  install epel-release

# 2. 安装snapd
[root@erp ~]# yum -y install snapd

# 3. 设置开机启动
[root@erp ~]# systemctl enable --now snapd.socket
Created symlink from /etc/systemd/system/sockets.target.wants/snapd.socket to /usr/lib/systemd/system/snapd.socket.

# 4. 设置snap软链接
[root@erp ~]# ln -s /var/lib/snapd/snap /usr/sbin/snap
[root@erp ~]# ln -s /var/lib/snapd/snap /snap

[root@erp ~]# systemctl start snapd

# ********************************************certbot安装*****************************************************
# 5. 安装certbot
[root@erp ~]# snap install --classic certbot
[root@erp ~]# snap install core; snap refresh core

# 6. 创建软链接
[root@erp ~]# ln -s /snap/bin/certbot /usr/bin/certbot

# 7. 通过cerbot申请证书
[root@erp ~]# certbot certonly --nginx  --nginx-server-root=/etc/nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): **********@126.com # 在这里填写你的邮箱

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y   #填写Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y   # 填写Y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: test.lixin.help
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1    # 选择域要申请SSL的域名
Requesting a certificate for test.lixin.help
# 申请证书成功
Successfully received certificate.
# ***************************************************************************************
# fullchain.pem   : 公钥(ssl_certificate)
# privkey.pem     : 私钥(ssl_certificate_key)
# ***************************************************************************************
Certificate is saved at: /etc/letsencrypt/live/test.lixin.help/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/test.lixin.help/privkey.pem

# 有效期为3个月,需要每隔一段时间进行续租.
This certificate expires on 2022-01-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(5). Nginx配置证书

# 1. 配置nginx支持SSL
[root@erp ~]# cat /etc/nginx/conf.d/test.lixin.help.conf
server {
    listen       80;
    listen       443 ssl;
    listen       [::]:443 ssl;
    server_name  test.lixin.help;
    ssl_certificate "/etc/letsencrypt/live/test.lixin.help/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/test.lixin.help/privkey.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;


    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}


# 2. 重启nginx
# 检查下配置
[root@erp conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# 热部署nginx
[root@erp conf.d]# nginx -s reload

(6). 通过浏览器验证证书

"验证证书是否生效"

(7). 续租证书

[root@erp ~]# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.lixin.help.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for test.lixin.help

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/test.lixin.help/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(7). 总结

申请免费的SSL证书,相对来说还是比较简单的.