当前位置：首页 > article >正文

测试环境下使用HTTPS证书申请

article 2024/9/26 21:45:32

一、准备

linux的机子

真实的域名

二、安装Snapd

安装地址：Certbot (eff.org)

下滑查找

选择安装的操作系统

1.安装snapd
yum -y install epel-release
yum -y install snapd
2.创建软链接
systemctl enable --now snapd
ln -s /var/lib/snapd/snap /snap
snap --help

三、配置解析记录

1.安装Certbot软件包，并使用了--classic标志(经典模式)
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

2.生成解析记录
格式：
certbot certonly --manual --preferred-challenges dns -d [真实域名]

certbot certonly --manual --preferred-challenges dns -d *.syhwyq.icu      # 此处是我的解析记录

If you really want to skip this, you can run the client with
--register-unsafely-without-email but you will then be unable to receive notice
about impending expiration or revocation of your certificates or problems with
your Certbot installation that will lead to failure to renew.

Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): 3146359748@qq.com   //此处输入你的邮箱

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y    //继续进行使用Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y     //继续进行使用Y
Account registered.
Requesting a certificate for *.syhwyq.icu

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.syhwyq.icu.                              //此处要配置域名解析

with the following value:

8cDiagJOjCKax3vZPJKmDvPZrBY7RIqhEmxdn6AB3I4             //此处要配置域名解析

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.syhwyq.icu.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue                               //配置上面两步骤之后再进行回车

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/syhwyq.icu/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/syhwyq.icu/privkey.pem
This certificate expires on 2024-12-02.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

输入邮箱

输入Y

在此先不点击回车记录上面两条记录跳到下一步

进行解析配置

点击回车

成功

ll /etc/letsencrypt/live/syhwyq.icu/
总用量 4
lrwxrwxrwx 1 root root  34 9月   3 11:20 cert.pem -> ../../archive/syhwyq.icu/cert1.pem
lrwxrwxrwx 1 root root  35 9月   3 11:20 chain.pem -> ../../archive/syhwyq.icu/chain1.pem
lrwxrwxrwx 1 root root  39 9月   3 11:20 fullchain.pem -> ../../archive/syhwyq.icu/fullchain1.pem
lrwxrwxrwx 1 root root  37 9月   3 11:20 privkey.pem -> ../../archive/syhwyq.icu/privkey1.pem
-rw-r--r-- 1 root root 692 9月   3 11:20 README

四、编写Nginx配置文件

1.编辑配置文件
vim  /etc/nginx//conf.d/nginx_myssl.conf

server {
    listen       80;
    server_name  www.syhwyq.icu;
    location / {
      rewrite ^(.*)$  https://www.syhwyq.icu$1 permanent;
    }
}

server {
    listen     443 ssl;
    server_name www.syhwyq.icu;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_certificate     /etc/letsencrypt/live/syhwyq.icu/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/syhwyq.icu/privkey.pem;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        root   /jump/html;
        index  index.html index.htm;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

2.创建发布目录部署跳一跳项目
mkdir -p /jump/html
在这个目录上传跳一跳项目

3.重启nginx
nginx -t
systemctl  reload  nginx

4.访问页面
https://www.syhwyq.icu