nginx安装免费证书开启SSL，完整版

免费证书安装

参考链接

为你的网站来安装一个证书十分简单，只需要使用电子子前哨基金会EFF的 Certbot，就可以完成。

1）首先，打开 https://certbot.eff.org 网页。

2）在那个机器上图标下面，你需要选择一下你用的 Web 接入软件 和你的 操作系统。比如，我选的，nginx 和 Ubuntu 14.04

3）然后就会跳转到一个安装教程网页。你就照着做一遍就好了。

拿centos7举例

https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

1.SSH into the server

SSH into the server running your HTTP website as a user with sudo privileges.

2.Enable EPEL repo

You’ll need to enable the EPEL (Extra Packages for Enterprise Linux) repository and make sure you follow all instructions for your system, including enabling any other recommended repositories that may be required. Follow these instructions at the Fedora wiki to enable EPEL.

yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

3.enable EPEL

Install Certbot Run this command on the command line on the machine to install Certbot.

sudo yum install certbot python2-certbot-nginx

4.Choose how you’d like to run Certbot

Either get and install your certificates… Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.

sudo certbot --nginx

Or, just get a certificate If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.

sudo certbot certonly --nginx

5.Set up automatic renewal

We recommend running the following line, which will add a cron job to the default crontab.

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

6.Confirm that Certbot worked

To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.

我遇到的问题

sudo certbot --nginx

在上述的安装过程中我在步骤4使用certbot往nginx写入时提示：

Centos 7.6 Certbot 报错ImportError: cannot import name UnrewindableBodyError

完整错误如下： 解决办法： 参考链接

这似乎是请求的问题，而不是tower-cli。您能尝试按照以下步骤重新安装请求和urlib3来查看

sudo pip uninstall requests sudo pip uninstall urllib3 sudo yum remove python-urllib3 sudo yum remove python-requests

通过执行以下命令，确认已删除所有上述库：

rpm -qa | grep requests pip freeze | grep requests

现在，使用yum安装这些软件包：

sudo yum install python-urllib3 sudo yum install python-requests

解决了这个问题后面便是提示你输入你的邮箱和域名这个我就不说了，成功之后，你的证书便配置上了。。。但这并没有结束

开启SSL之后，证书时配置在443端口上的，你所有的请求的端口都会转到443上，会导致你的一切其它的服务比如API接口服务，访问不了

参考链接

多端口访问配置

location /xxx{ proxy_pass http://wangchunze.top:30332/xxx; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }

这样当访问https://wangchunze.top/xxx的时候，请求会自动转发到http://wangchunze.top:30332/xxx

另外的方式： location /test1 { proxy_pass https://localhost:8080/test/; }

结束语

一致想弄的事情，今天算是弄完了，每天进步一点点