安装certbot.
https://certbot.eff.org/
选择操作系统和web服务器
centos 7需要安装epel源
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -ivh epel-release-latest-7.noarch.rpm yum -y install yum-utils yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional sudo yum install certbot-nginx
在命令行下运行下面的命令生成证书
certbot certonly --cert-name www.hiworld.com -d www.hiworld.com -d hiworld.com --webroot -w /data/www/hiworld/web --email abc@qq.com --no-eff-email --agree-tos certbot certonly --cert-name hiworld-api-certbot -d api.hiworld.com --webroot -w /data/www/php/ladder/frontend/web --email abc@qq.com --no-eff-email --agree-tos certbot certonly --cert-name hiworld-web-certbot -d www.hiworld.com -d hiworld.com --webroot -w /data/www/php/ladder_web --email abc@qq.com --no-eff-email --agree-tos certbot certonly --cert-name hiworld-mobile-certbot -d m.hiworld.com --webroot -w /data/www/php/dist --email abc@qq.com --no-eff-email --agree-tos
--cert-name 证书名称
-d 域名
--webroot -w web站点的根目录,注:此处应和nginx的root保持一致,certbot会在该目录下生产.well-konwn目录,并且该目录下生产的文件要可以访问
--email 邮件地址 此处加上这个选项,就不要在生成时在命令行输入了
--agree-tos 此处加上这个选项,就不要在生成时在命令行输入了
centos7.3报错:
ImportError: No module named 'requests.packages.urllib3'
解决办法:
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3
再次执行生成证书的脚本,结果又报错了:
Non-ASCII domain names not supported.To issue for an Internationalized Domain Name, use Punycode.
之所以出现这个错误是疑问不小心在hiworld.com后面加个【两】个空格,第二个空格是中文的空格无法识别,删除掉后边那个空格就好了。
可以查看/tmp/tmpXXXXXX查看执行日志,一版可以看到出错的原因。
注意:certbot生成的证书有效期为90天,90天后需要执行下面的命令来延期,当然,最好将这个命令写入cron,这样就可以在证书过期前(如2个月执行一次)延期
certbot renew
nginx配置
server {
#listen 80;
listen 443 ssl;
server_name hiworld.findingschool.net;
root /var/www/hiworld_cms/web/;
index index.php;
charset utf-8;
#access_log logs/hi.fs.net.access.log main;
#error_log logs/hi.fs.net.error.log;
access_log /var/log/nginx/hiworld.findingschool.net_access.log;
error_log /var/log/nginx/hiworld.findingschool.net_error.log;
ssl_certificate /etc/letsencrypt/live/hiworld.ntest.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hiworld.ntest.cn/privkey.pem;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location ~ .*.(ico|gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location ~ .*.(js|css)$ {
expires 10d;
}
location / {
try_files $uri /index.php?$args;
}
location /reserves{
alias /var/www/html/yss/hiworld_cms/reserves/;
location ~ .php$ {
fastcgi_split_path_info ^(.+?.php)(/.*)?$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
#location /reserves/{
# alias /var/www/html/yss/hiworld_cms/reserves/;
#}
location ~ .php$ {
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php5-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}