centos 시스템 은 certbot 를 이용 하여 https 인증 서 를 만 들 고 nginx 로 설정 합 니 다.

4013 단어 nginxlinux
1. certbot 설치
yum install certbot

다음 오류 발생
Failed:
  python-urllib3.noarch 0:1.10.2-5.el7

pip 설치 python urllib 3 모듈
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

도움말 보기
certbot -h

아래 가 나타 나 면 설치 성공
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  (the certbot apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  (the certbot nginx plugin is not installed)
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path)
    delete          Delete a certificate

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2. 인증서 생 성
certbot certonly --webroot -w /usr/local/html -d www.test.com

인증서 생 성 주소
/etc/letsencrypt/live/www.test.com

3. nginx 설정
server{

         listen 443 ssl;
  server_name www.test.com;
  ssl on;

  ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem; #2
  ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem; #3
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 5m;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

        error_page 403 /error.html;
        error_page 404 /error/404.html;

        location = /error.html {
          root  /home/tomcat/web/;
          allow all;
        }
         location  /error/ {
          root  /usr/local/nginx_html;
          allow all;
        }

location / {
        root /usr/local/html;
        index index.html index.htm;
    }


}

재 설정
server {
        listen *:80;
        server_name www.test.com ; #                        
        return 301 https://www.test.com/;
    }

4. nginx 를 다시 시작 합 니 다. 브 라 우 저 주 소 를 방문 하면 인증 서 를 볼 수 있 습 니 다.
5. 연장
certbot 생 성 인증 서 는 3 개 월 기한 이 만 료 되 어 연장 이 필요 합 니 다.
연장 명령 (certbot 설치 디 렉 터 리 에 들 어가 기 전에 nginx 를 닫 아야 합 니 다)
./letsencrypt-auto renew --force-renew

좋은 웹페이지 즐겨찾기