Centos 下添加Let's Encrypt

yum update
yum install git bc
## git 项目
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
## 执行
/opt/letsencrypt/letsencrypt-auto certonly --standalone
  1. 首先要填写 email 地址

  2. 填写域名,可以填写多个

  3. 下面是成功的结果截图:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/test2.mesmart.cn/fullchain.pem. Your cert
   will expire on 2016-06-23. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
在`/etc/letsencrypt/live`下会多一个以域名命名的文件夹,里面就是需要的4个证书文件
![](None)

>cert.pem: 你域名的证书。 

chain.pem: Let's Encrypt chain 证书。
fullchain.pem: cert.pem 和 chain.pem 联合。
privkey.pem: 你证书的私有 key。

  1. Nginx上的配置

        upstream test1.mewifi.mobi {
        server   10.117.37.115:9402 max_fails=5 fail_timeout=30s;
        check_http_expect_alive http_2xx http_3xx;
        ip_hash;
    }
    server {
        listen 443 ssl;
    
        server_name test1.mewifi.mobi;
    
        ssl_certificate /etc/letsencrypt/live/test1.mewifi.mobi/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/test1.mewifi.mobi/privkey.pem;
        ssl on;
    
        location / {
           #try_files $uri $uri/ =404;
           proxy_pass   http://test1.mewifi.mobi;
           proxy_set_header  X-FORWARDED-FOR  $remote_addr;
           proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
        }
    
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        location ~ ^/(WEB-INF)/ {
                deny all;
        }
    }
    server {
        listen 80;
        server_name test1.mewifi.mobi;
        return 301 https://test1.mewifi.mobi$request_uri;
        #rewrite ^(.*)$ https://$host$1 permanent;
    }
  2. tomcat 的配置
    找到 http 端口配置的地方

    <Connector port="9402" protocol="HTTP/1.1"
                        connectionTimeout="20000"  redirectPort="8443" URIEncoding="UTF-8" 
    proxyPort="443"  scheme="https"/>

需要注意的两点:

  1. 当前操作所在的服务器与申请的域名解析到的 IP 要一致,否则会报错:
    Failed to connect to host for DVSNI challenge

  2. 服务器上防火墙的443端口要放开

参考:如何在 Ubuntu 14.04 上为 Nginx 添加 Let's Encrypt
How To Secure Nginx with Let's Encrypt on Ubuntu 14.04

2016-03-23更新:
生成的证书文件与域名对应,当 ngxin 迁移时,只需要将对应的文件拷走就可以,不一定非要是当初申请的那台服务器,那个 IP。

但别的域名如果也用这个证书文件,就不行:


出这个错的时候,把

/etc/letsencrypt/archive
/etc/letsencrypt/live

这两个目录删掉就好了,但忘了怎么重现这个错误了。

可以成功的情况

  • 配置域名指向到当前服务器
  • 配置该域名的 nginx 配置文件
pstream inf.mesmart.cn {
        server   10.117.37.117:8081 max_fails=5 fail_timeout=30s;
        check_http_expect_alive http_2xx http_3xx;
        ip_hash;
}
server {
        listen 443 ssl;
        server_name inf.mesmart.cn;

        #ssl_certificate /etc/letsencrypt/live/test2.mewifi.mobi/fullchain.pem;
        #ssl_certificate_key /etc/letsencrypt/live/test2.mewifi.mobi/privkey.pem;
        #ssl on;

        location / {
           #try_files $uri $uri/ =404;
           proxy_pass   http://inf.mesmart.cn;
           proxy_set_header  X-FORWARDED-FOR  $remote_addr;
           proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        location ~ ^/(WEB-INF)/ {
                deny all;
        }
        location ~ /.well-known {
                allow all;
        }
}

server {
        listen 80;
        server_name inf.mesmart.cn;
        location /{
           proxy_pass   http://inf.mesmart.cn;
           proxy_set_header  X-FORWARDED-FOR  $remote_addr;
           proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        location ~ ^/(WEB-INF)/ {
                deny all;
        }
        location ~ /.well-known {
                allow all;
        }
}

原来可能有80端口在用的,只需要新增一个443端口的 server。刚开始以为必须要有一个证书,但后来证明其实不是必须的。等申请成功以后再修改成正确的证书路径.

ssl_certificate /etc/letsencrypt/live/inf.mesmart.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/inf.mesmart.cn/privkey.pem;
ssl on;
2016-03-25 19:2212