Let’s Encrypt 安装配置nginx的SSL证书教程

使用cerbot生成证书

安装Let’s Encrypt

安装非常简单直接克隆就可以了

git clone https://github.com/letsencrypt/letsencrypt

如果网速较慢（国外服务器应该快点）

1.可以登录https://github.com/letsencrypt/letsencrypt，下载后通过lrzsz传到云服务器上，再解压

2.修改hosts

查找域名对应的ip地址，并修改hosts文件

linuxidc@linuxidc:~/linuxidc.com$ nslookup github.global.ssl.fastly.Net
Server:  127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: github.global.ssl.fastly.Net
Address: 151.101.229.194

linuxidc@linuxidc:~/linuxidc.com$ nslookup github.com
Server:  127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: github.com
Address: 13.229.188.59

然后修改hosts文件

sudo vim /etc/hosts

在hosts文件末尾添加两行

github.com 13.229.188.59
github.global.ssl.fastly.Net 151.101.229.194

刷新DNS缓存

sudo /etc/init.d/networking restart

使用cerbot:

cd letsencrypt
# 根据自己的需求调整代码
./certbot-auto certonly --standalone --email admin@example.com -d example.c

成功提示

IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sast.nymrli.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sast.nymrli.top/privkey.pem
   Your cert will expire on 2019-02-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

配置Nginx:

server 不再监听80端口，因为TLS要使用的是443端口，然后引入证书和key

server {
	listen 443 ssl;
	server_name 127.0.0.1;
	charset utf-8;
	client_max_body_size 75M;
    	location /static{
    		alias /home/mrli/Python_project/QQoauth_remote/static;  
	}
	location / {
		include uwsgi_params;
		uwsgi_pass 127.0.0.1:81;
		uwsgi_param UWSGI_SCRIPT app:app;   # 启动flask的文件:Flask的实例
	
	}
	ssl_certificate   /etc/letsencrypt/live/test.nymrli.top/fullchain.pem; 
    	ssl_certificate_key /etc/letsencrypt/live/test.nymrli.top/privkey.pem;   
    #前面生成的证书，改一下里面的域名就行，不建议更换路径
}

重启Nginx：

sudo service nginx restart

使用acme.sh

下载acme

git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install

提示信息

[Thu Aug 22 19:58:00 CST 2019] It is recommended to install socat first.
[Thu Aug 22 19:58:00 CST 2019] We use socat for standalone server if you use standalone mode.
[Thu Aug 22 19:58:00 CST 2019] If you don't use standalone mode, just ignore this warning.
[Thu Aug 22 19:58:00 CST 2019] Installing to /home/mrli/.acme.sh
[Thu Aug 22 19:58:00 CST 2019] Installed to /home/mrli/.acme.sh/acme.sh
[Thu Aug 22 19:58:00 CST 2019] Installing alias to '/home/mrli/.bashrc'
[Thu Aug 22 19:58:00 CST 2019] OK, Close and reopen your terminal to start using acme.sh
[Thu Aug 22 19:58:00 CST 2019] Installing cron job
1 0 * * * "/home/mrli/.acme.sh"/acme.sh --cron --home "/home/mrli/.acme.sh" > /dev/null
[Thu Aug 22 19:58:00 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Aug 22 19:58:01 CST 2019] OK

生成证书

export Ali_Key="xxxx"
export Ali_Secret="yyyy"
acme.sh --issue --dns dns_ali -d nymrli.top -d *.nymrli.top

注：这边的Key和secret需要找到你的阿里云API密钥，Acesskey


输出信息**

[Thu Aug 22 20:01:53 CST 2019] Create account key ok.
[Thu Aug 22 20:01:53 CST 2019] Registering account
[Thu Aug 22 20:01:55 CST 2019] Registered
[Thu Aug 22 20:01:55 CST 2019] ACCOUNT_THUMBPRINT='YljrV0ThIsQxXtfdxksrd91g1fWvM9Btn9Dazt8OWyo'
[Thu Aug 22 20:01:55 CST 2019] Creating domain key
[Thu Aug 22 20:01:55 CST 2019] The domain key is here: /home/mrli/.acme.sh/nymrli.top/nymrli.top.key
[Thu Aug 22 20:01:55 CST 2019] Multi domain='DNS:nymrli.top,DNS:*.nymrli.top'
[Thu Aug 22 20:01:55 CST 2019] Getting domain auth token for each domain
[Thu Aug 22 20:01:56 CST 2019] Getting webroot for domain='nymrli.top'
[Thu Aug 22 20:01:56 CST 2019] Getting webroot for domain='*.nymrli.top'
[Thu Aug 22 20:01:57 CST 2019] Adding txt value: NyNt2AxJ3OmW8s_wVn2C3CNN9_yT1o_v2o0MhmdUoTs for domain:  _acme-challenge.nymrli.top
[Thu Aug 22 20:01:59 CST 2019] The txt record is added: Success.
[Thu Aug 22 20:01:59 CST 2019] Adding txt value: ADqtxSTlQ0DH7jHZzlP9UZB0dT9U2oVYSk_zTabYN3w for domain:  _acme-challenge.nymrli.top
[Thu Aug 22 20:02:01 CST 2019] The txt record is added: Success.
[Thu Aug 22 20:02:01 CST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Thu Aug 22 20:02:22 CST 2019] Checking nymrli.top for _acme-challenge.nymrli.top
[Thu Aug 22 20:02:24 CST 2019] Domain nymrli.top '_acme-challenge.nymrli.top' success.
[Thu Aug 22 20:02:24 CST 2019] Checking nymrli.top for _acme-challenge.nymrli.top
[Thu Aug 22 20:02:25 CST 2019] Domain nymrli.top '_acme-challenge.nymrli.top' success.
[Thu Aug 22 20:02:25 CST 2019] All success, let's return
[Thu Aug 22 20:02:25 CST 2019] Verifying: nymrli.top
[Thu Aug 22 20:02:28 CST 2019] Success
[Thu Aug 22 20:02:28 CST 2019] Verifying: *.nymrli.top
[Thu Aug 22 20:02:31 CST 2019] Success
[Thu Aug 22 20:02:31 CST 2019] Removing DNS records.
[Thu Aug 22 20:02:31 CST 2019] Removing txt: NyNt2AxJ3OmW8s_wVn2C3CNN9_yT1o_v2o0MhmdUoTs for domain: _acme-challenge.nymrli.top
[Thu Aug 22 20:02:34 CST 2019] Removed: Success
[Thu Aug 22 20:02:34 CST 2019] Removing txt: ADqtxSTlQ0DH7jHZzlP9UZB0dT9U2oVYSk_zTabYN3w for domain: _acme-challenge.nymrli.top
[Thu Aug 22 20:02:38 CST 2019] Removed: Success
[Thu Aug 22 20:02:38 CST 2019] Verify finished, start to sign.
[Thu Aug 22 20:02:38 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/64001779/941369076
[Thu Aug 22 20:02:40 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/034f6880d75703381da6f5efedb159772580
[Thu Aug 22 20:02:40 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
[Thu Aug 22 20:02:40 CST 2019] Your cert is in  /home/mrli/.acme.sh/nymrli.top/nymrli.top.cer 
[Thu Aug 22 20:02:40 CST 2019] Your cert key is in  /home/mrli/.acme.sh/nymrli.top/nymrli.top.key 
[Thu Aug 22 20:02:40 CST 2019] The intermediate CA cert is in  /home/mrli/.acme.sh/nymrli.top/ca.cer 
[Thu Aug 22 20:02:40 CST 2019] And the full chain certs is there:  /home/mrli/.acme.sh/nymrli.top/fullchain.cer

nginx配置文件内容

server {
	listen 443 ssl;
	server_name 127.0.0.1;
	charset utf-8;
	client_max_body_size 75M;
    	location /static{
    		alias /home/mrli/Python_project/QQoauth_remote/static;  
	}
	location / {
		include uwsgi_params;
		uwsgi_pass 127.0.0.1:81;
		uwsgi_param UWSGI_SCRIPT app:app;   # 启动flask的文件:Flask的实例
	
	}
	ssl_certificate   /home/mrli/.acme.sh/nymrli.top/fullchain.cer; 
    	ssl_certificate_key /home/mrli/.acme.sh/nymrli.top/nymrli.top.key;   
    #前面生成的证书，改一下里面的域名就行，不建议更换路径
}

阿里云免费SSL证书symantec

从云盾证书服务(包年)中选择免费的symantec生成后，按下载，选择nginx证书

文件内容如下

我们需要把这两个文件放到我们的服务器中，如果是linux系统，推荐放到/etc/ssl/目录下

示例：nginx节点配置

http{
    #http节点中可以添加多个server节点
    server{
        #监听443端口
        listen 443;
       
        #对应的域名，把test.nymrli.top改成你们自己的域名就可以了
        server_name test.nymrli.top;
        ssl on;
   
        #从腾讯云获取到的第一个文件的全路径
        ssl_certificate /etc/ssl/1474527_www.nymrli.top.pem;
        #从腾讯云获取到的第二个文件的全路径
        ssl_certificate_key /etc/ssl/1474527_www.nymrli.top.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        
        #这是我的主页访问地址，因为使用的是静态的html网页，所以直接使用location就可以完成了。
        location / {
                #文件夹
                root /usr/local/service/ROOT;
                #主页文件
                index index.html;
        }
    }

}

▲.crt、pem、key都是证书文件

问题解决:

Problem binding to port 80: Could not bind to IPv4 or IPv6.

原因是 nginx 占用了80端口，输入service nginx stop。然后再次执行证书安装命令，即可顺利安装。安装完毕后，输入service nginx start，重启 nginx 服务。

2.重启nginx失败=>conf配置有问题

See "systemctl status nginx.service" and "journalctl -xe" for details.
 failed!

A:.conf文件的注释是#而不是//