使用certbot生成永久免费的Let's Encrypt SSL证书实现SpringBoot+Nginx网站的HTTPS

使用certbot生成永久免费的Let's Encrypt SSL证书实现SpringBoot+Nginx网站的HTTPS
本文将讲解如何在Centos7(Linux)上使用客户端工具certbot获取免费的Let's Encrypt SSL证书,并将生成的SSL证书在Nginx中使用,结合Nginx反向代理,实现SpringBoot应用的HTTPS,步骤如下:

1 、安装Let’s Encrypt客户端Certbot

[root@ ~]# yum install epel-release
[root@ ~]# yum install certbot

更多安装方式请参考certbot官网:https://certbot.eff.org/

2、停止Nginx服务

[root@ ~]#  nginx -s stop

注意:如果不停止Nginx服务,使用certbot生成SSL证书可能会失败,错误提示如下:

......
Problem binding to port 443: Could not bind to IPv4 or IPv6.

3、使用certbot生成SSL证书

certbot命令格式:
certbot certonly —standalone —email 邮箱地址 -d 域名地址
网站如果有多个子域名时需在后面增加,如:
certbot certonly —standalone —email 邮箱地址 -d 你的域名1 -d 你的域名2

[root@ ~]# certbot certonly --standalone --email "you-email@qq.com" -d example.com -d www.example.com

如果看到类似如下的输出信息则说明生成SSL证书成功

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-03-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

注意:在执行此步骤时可能会遇到错误提示ImportError: No module named 'requests.packages.urllib3',这是python的模块版本的问题导致,运行如下命令即可解决:

pip install requests urllib3 pyOpenSSL --force --upgrade
pip install --upgrade --force-reinstall 'requests==2.6.0'

4、将证书路劲加入Nginx配置文件Nginx.conf中

server {
    listen 80;
    server_name example.com www.example.com;
    # 所有Http请求转发到Https端口
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    # SSL证书路径配置
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

     # 反向代理到Springboot后台应用
    location /{
        proxy_pass        http://127.0.0.1:8080;
        proxy_set_header  Host $http_host;
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
    }

    error_page   404   /404.html;
    access_log  /home/wwwlogs/www.example.com.log  access;
}

检查Nginx配置是否修改正确并重新加载配置

[root@ ~]# nginx -t
[root@ ~]# nginx -s reload

一切顺利过后就可以打开浏览器进行测试了

http://www.example.com
或者
https://www.example.com

注意:如果出现无法访问或者空白页,请先检查防火墙是否已经开启了443端口的访问。

5、使用Crontab定时任务自动续订SSL证书(永久免费秘籍)

Let’s Encrypt生成的免费证书有效期为90天,过了就会失效,我们使用Linux系统的Crontab定时任务自动续签证书

[root@ ~]# crontab -e

加入如下内容:

# 每星期1的5点30分执行证书更新操作
 30 5 * * 1 /usr/bin/certbot renew  >>/var/log/ssl_auto_update.log  2>&1

certbot的续订命令renew将检查系统上安装的所有证书,所有已安装的证书将在到期前30天或更短时间内自动续订和重新加载。

其他资源

Letsencrypt官网: https://letsencrypt.org/
SSL服务器配置生成工具:https://mozilla.github.io/server-side-tls/ssl-config-generator/
SSL安全等级测试网站:https://www.ssllabs.com/ssltest/

the end