1 Star 0 Fork 0

tking / service-deploy

Create your Gitee Account
Explore and code with more than 8 million developers,Free private repositories !:)
Sign up
This repository doesn't specify license. Please pay attention to the specific project description and its upstream code dependency when using it.
Clone or Download
Amazon Linux2(ec2) 使用Certbot 获取Let's Encrypt CA签名证书 和 Nginx启用 TLS.md 4.81 KB
Copy Edit Web IDE Raw Blame History
tking authored 2022-03-13 07:58 . style

本文主要记录在亚马逊服务器OS Ec2, 使用Certbot申请ssl证书, 配置nginx SSL。

获取 CA 签名证书

您可以使用以下过程来获取 CA 签名的证书:

  • 从私钥生成证书签名请求 (CSR)
  • 将 CSR 提交给证书颁发机构 (CA)
  • 获取签名的主机证书
  • 配置 Apache 以使用证书

由于验证请求所涉及的劳动力,证书通常要花钱,所以货比三家是值得的。一些 CA 免费提供基本级别的证书。这些 CA 中最引人注目的是Let's Encrypt项目,它还支持证书创建和更新过程的自动化。有关使用 Let's Encrypt 作为 CA 的更多信息,请参阅

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt

什么是 Certbot?

Certbot 是一个免费的开源软件工具,用于在手动管理的网站上自动使用Let's Encrypt证书来启用 HTTPS。

安装Certbot

  1. 下载 Enterprise Linux (EPEL) 7 存储库包的附加包
[ec2-user ~]cd /home/ec2-user
[ec2-user ~]$ sudo wget -r --no-parent -A 'epel-release-*.rpm' 
  1. 安装存储库包
[ec2-user ~]$ sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
  1. 启用 EPEL
sudo yum-config-manager --enable epel*
  1. 安装 certbot
sudo yum install -y certbot 
  1. 安装Certbot的Nginx软件包:
sudo yum install -y python-certbot-nginx

获取证书

sudo certbot certonly --standalone --debug -d your.domain

your.domain 为所要申请顶级域名或子域名。

执行成功后,会在 /etc/letsencrypt/live/your.domain 下生成有公钥和私钥。

  • privkey.pem
  • fullchain.pem

Nginx启用 TLS

这里我们使用docker-compose安装的nginx,docker-compose.yml 具体如下

version: '3.5'
networks: 
  mynetwork:
    name: "MyNetWork"

services:
  my-server:
    image: nginx
    restart: always
    networks: 
      - mynetwork    
    ports:
      - "443:443"
    volumes:
      - ./my-server/nginx.conf:/etc/nginx/nginx.conf:ro

nginx.conf 具体如下:


user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;


    server {
            listen 443 ssl;
            server_name www.yourdomain.com;

            # 配置ssl
            ssl_certificate     /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/www.yourdomain.com/privkey.pem;

            # ssl验证相关配置
            # 不显式定义加密算法
            # 不建议显式定义,除非有需要额外定义的值,如果要显式定义加密算法,请另外搜索ssl_ciphers用法
            ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
            # 安全链接可选的加密协议
            ssl_protocols TLSv1.2 TLSv1.3;
            # 使用服务器端的首选算法
            ssl_prefer_server_ciphers on;
            
            # ssl 优化选项
            # 缓存有效期
            ssl_session_timeout  10m;
            # 配置共享会话缓存大小
            ssl_session_cache   shared:SSL:10m;
            
            rewrite  ^/$  /index.html  last;
            location / {
            }
    }
}

挂载配置文件

由于我们是在主机上面安装的certbot,需要配公钥和私钥挂载到docker-container, 完整 docker-compose.yml 具体如下

version: '3.5'
networks: 
  mynetwork:
    name: "MyNetWork"

services:
  my-server:
    image: nginx
    restart: always
    networks: 
      - mynetwork    
    ports:
      - "443:443"
    volumes:
      - ./my-server/nginx.conf:/etc/nginx/nginx.conf:ro
      - /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem:/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem
      - /etc/letsencrypt/live/www.yourdomain.com/privkey.pem:/etc/letsencrypt/livewww.yourdomain.com/privkey.pem
      

完成,测试一下, 浏览器访问 yourdomain.com/index.html

d3a0dd5c4e2e13e0e9c6d85e14369974.png

参考

Comment ( 0 )

Sign in to post a comment

Go
1
https://gitee.com/lucktk/service-deploy.git
git@gitee.com:lucktk/service-deploy.git
lucktk
service-deploy
service-deploy
master

Search