{"id":494,"date":"2017-12-17T18:53:20","date_gmt":"2017-12-17T10:53:20","guid":{"rendered":"https:\/\/www.chenweikang.top\/?p=494"},"modified":"2018-03-21T19:22:55","modified_gmt":"2018-03-21T11:22:55","slug":"%e4%bd%bf%e7%94%a8ssl%e8%af%81%e4%b9%a6%ef%bc%8c%e6%91%86%e8%84%b1%e8%bf%90%e8%90%a5%e5%95%86%e6%b5%81%e9%87%8f%e5%8a%ab%e6%8c%81%ef%bc%81","status":"publish","type":"post","link":"https:\/\/www.chenweikang.top\/?p=494","title":{"rendered":"\u4f7f\u7528SSL\u8bc1\u4e66\uff0c\u6446\u8131\u8fd0\u8425\u5546\u6d41\u91cf\u52ab\u6301\uff01"},"content":{"rendered":"

2015 \u5e74\u5e95\uff0c\u591a\u5bb6\u516c\u53f8\u5c31\u8054\u5408\u58f0\u660e\uff1a\u547c\u5401\u8fd0\u8425\u5546\u4e25\u683c\u6253\u51fb\u6d41\u91cf\u52ab\u6301\u3002\u4f46\u662f\uff0c\u80fd\u591f\u5b9e\u65bd\u8fd9\u4e00\u653b\u51fb\u884c\u4e3a\u7684\u76ee\u524d\u4e5f\u5c31\u662f\u5404\u5730\u7684\u5bbd\u5e26\u8fd0\u8425\u5546\u4e86\uff0c\u8ba9\u8d3c\u6349\u8d3c\u600e\u4e48\u53ef\u80fd\uff1f\uff01\u51b5\u4e14\uff0c \u5728\u67d0\u4e9b\u5730\u533a\uff0c\u8fd9\u79cd\u52ab\u6301\u6587\u4ef6\u5e76\u63d2\u5165\u5e7f\u544a\u7684\u65b9\u5f0f\u5df2\u7ecf\u6210\u4e3a\u4ed6\u4eec\u8f7b\u677e\u6765\u94b1\u7684\u201c\u4f18\u8d28\u201d\u6e20\u9053\u4e86\uff0c\u600e\u80fd\u8f7b\u6613\u653e\u624b\uff01\u6240\u4ee5\uff0c\u4ece 15 \u5e74\u8d77\uff0c\u5f88\u591a\u5927\u578b\u7f51\u7ad9\u5f00\u542f\u4e86 HTTPS \uff0c\u5305\u62ec \u6dd8\u5b9d\u3001\u767e\u5ea6\u7b49\u3002<\/p>\n

\u9274\u4e8e\u56fd\u5185\u7f51\u7edc\u73af\u5883\u590d\u6742\uff0c\u5efa\u8bae\u5927\u5bb6\u4e5f\u5c3d\u5feb\u652f\u6301 HTTPS\u3002\u5c24\u5176\u662f\u56fd\u5185\u4e91\u5382\u5546\u57fa\u672c\u90fd\u652f\u6301 Let\u2019s encrypt \u514d\u8d39\u8bc1\u4e66\u4e86\uff0c\u65e0\u8bba\u7533\u8bf7\u8fd8\u662f\u5f00\u542f Let\u2019s encrypt \u8bc1\u4e66\u90fd\u5f88\u65b9\u4fbf\u4e86\u3002<\/p><\/blockquote>\n

\u5173\u4e8e\u6d41\u91cf\u52ab\u6301\uff0c\u5e38\u89c1\u7684\u5c31\u662f\u7f51\u9875\u5185\u5bb9\u88ab\u63d2\u5165\u5404\u79cd\u5e7f\u544a\uff01\u800c\u8fd9\u4e9b\u7f51\u7ad9\u672c\u8eab\u6e90\u4ee3\u7801\u5e76\u6ca1\u6709\u690d\u5165\u5e7f\u544a\uff0c\u8fd9\u79cd\u65b9\u5f0f\u7684\u6d41\u91cf\u52ab\u6301\u5c5e\u4e8e\u4e2d\u95f4\u4eba\u653b\u51fb\uff08Man-in-the-Middle Attack\uff0cMITM\uff09\u7684\u4e00\u79cd\uff0c\u5176\u5b9e\u8d28\u5c31\u662f\u5728\u6570\u636e\u901a\u8def\u4e0a\u52ab\u6301\u6587\u4ef6\u5e76\u7be1\u6539\uff08\u4e00\u822c\u662f\u52a0\u5165\u5e7f\u544a\u4ee3\u7801\uff09\uff0c\u5e76\u5c06\u7be1\u6539\u540e\u7684\u6587\u4ef6 \u53d1\u9001\u7ed9\u5ba2\u6237\u7aef\u3002\u5728\u8fd9\u79cd\u653b\u51fb\u4e0b\uff0c\u6e90\u670d\u52a1\u5668\u4e0a\u7684\u6587\u4ef6\u662f\u4e0d\u53d7\u5f71\u54cd\u7684\uff0c\u6587\u4ef6\u88ab\u7be1\u6539\u662f\u53d1\u751f\u5728\u4f20\u8f93\u8fc7\u7a0b\u4e2d\uff0c\u7531\u4e8e HTTP \u534f\u8bae\u5b8c\u5168\u662f\u660e\u6587\u4f20\u8f93\uff0c\u5f88\u5bb9\u6613\u88ab\u52ab\u6301\u3001\u7be1\u6539\uff0c\u56e0\u6b64\uff0c\u53ea\u8981\u6587\u4ef6\u5728 \u52a0\u5bc6\u901a\u9053\u4e2d\u4f20\u8f93\u5c31\u80fd\u591f\u907f\u514d\u88ab\u52ab\u6301\u3001\u7be1\u6539\u3002<\/p>\n

\u4e00\u3001\u83b7\u53d6 Let\u2019s encrypt \u514d\u8d39\u8bc1\u4e66<\/h2>\n

\u5efa\u8bae\u4f7f\u7528git\u5de5\u5177\uff0c\u5b89\u88c5\u90e8\u7f72\u65f6\u9700\u8981Python2.7\u7684\u652f\u6301\uff0clinux\u9ed8\u8ba4\u90fd\u88c5\u4e86python \uff0c\u672c\u6848\u4f8b\u5728centos7\u4e0b\u8fdb\u884c<\/p>\n

\u5982\u679c\u6ca1\u6709\u4ee5\u4e0a\u4f9d\u8d56\uff0c\u8bf7\u5148\u5b89\u88c5\uff1a<\/p>\n

shell# yum install gi<\/span>t  #\u5b89\u88c5git\r\nshell# git clone https:\/\/github.com\/letsencrypt\/letsencrypt<\/span>  #\u83b7\u53d6\u6e90\u7801\r\n<\/pre>\n
\u4e8c\u3001\u751f\u6210\u8bc1\u4e66\u5bc6\u94a5<\/h2>\n
shell# cd letsencrypt<\/span>\r\nshell# .\/letsencrypt-auto certonly --standalone --email 354867750@qq.com -d chenweikang.top -d www.chenweikang.top<\/span>\r\n\r\n#\u4ee5\u4e0b\u4e3a\u4ea4\u4e92\u65e5\u5fd7\r\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\r\nPlugins selected: Authenticator standalone, Installer None\r\n\r\n-------------------------------------------------------------------------------\r\nPlease read the Terms of Service at\r\nhttps:\/\/letsencrypt.org\/documents\/LE-SA-v1.2-November-15-2017.pdf. You must\r\nagree in order to register with the ACME server at\r\nhttps:\/\/acme-v01.api.letsencrypt.org\/directory\r\n-------------------------------------------------------------------------------\r\n(A)gree\/(C)ancel: A<\/span>\r\n\r\n-------------------------------------------------------------------------------\r\nWould you be willing to share your email address with the Electronic Frontier\r\nFoundation, a founding partner of the Let's Encrypt project and the non-profit\r\norganization that develops Certbot? We'd like to send you email about EFF and\r\nour work to encrypt the web, protect its users and defend digital rights.\r\n-------------------------------------------------------------------------------\r\n(Y)es\/(N)o: Y<\/span>\r\nObtaining a new certificate\r\nPerforming the following challenges:\r\ntls-sni-01 challenge for chenweikang.top\r\ntls-sni-01 challenge for www.chenweikang.top\r\nWaiting for verification...\r\nCleaning up challenges\r\n\r\nIMPORTANT NOTES:\r\n - Congratulations! Your certificate and chain have been saved at:\r\n   \/etc\/letsencrypt\/live\/chenweikang.top\/fullchain.pem\r\n   Your key file has been saved at:\r\n   \/etc\/letsencrypt\/live\/chenweikang.top\/privkey.pem\r\n   Your cert will expire on 2018-03-17. To obtain a new or tweaked\r\n   version of this certificate in the future, simply run\r\n   letsencrypt-auto again. To non-interactively renew *all* of your\r\n   certificates, run \"letsencrypt-auto renew\"\r\n - Your account credentials have been saved in your Certbot\r\n   configuration directory at \/etc\/letsencrypt. You should make a\r\n   secure backup of this folder now. This configuration directory will\r\n   also contain certificates and private keys obtained by Certbot so\r\n   making regular backups of this folder is ideal.\r\n - If you like Certbot, please consider supporting our work by:\r\n\r\n   Donating to ISRG \/ Let's Encrypt:   https:\/\/letsencrypt.org\/donate\r\n   Donating to EFF:                    https:\/\/eff.org\/donate-le<\/pre>\n
\u5728 \/etc\/letsencrypt\/live\/chenweikang.top \u76ee\u5f55\u4e0b\u4f1a\u751f\u62104\u4e2a\u6587\u4ef6\uff0c\u5206\u522b\u4e3aApache\u548cNginx\u7528\u5230\u7684\uff1a<\/p>\n
cert.pem\u00a0 - Apache\u670d\u52a1\u5668\u7aef\u8bc1\u4e66<\/em>
\nchain.pem\u00a0 - Apache\u6839\u8bc1\u4e66\u548c\u4e2d\u7ee7\u8bc1\u4e66<\/em>
\nfullchain.pem\u00a0 - Nginx\u6240\u9700\u8981ssl_certificate\u6587\u4ef6<\/em>
\nprivkey.pem - \u5b89\u5168\u8bc1\u4e66KEY\u6587\u4ef6<\/em><\/p>\n
[root@iz2zeeuc8ed3wflgmb7rakz chenweikang.top]# ll\r\ntotal 4\r\nlrwxrwxrwx 1 root root  39 Dec 17 17:13 cert.pem -> ..\/..\/archive\/chenweikang.top\/cert1.pem\r\nlrwxrwxrwx 1 root root  40 Dec 17 17:13 chain.pem -> ..\/..\/archive\/chenweikang.top\/chain1.pem\r\nlrwxrwxrwx 1 root root  44 Dec 17 17:13 fullchain.pem -> ..\/..\/archive\/chenweikang.top\/fullchain1.pem\r\nlrwxrwxrwx 1 root root  42 Dec 17 17:13 privkey.pem -> ..\/..\/archive\/chenweikang.top\/privkey1.pem\r\n-rw-r--r-- 1 root root 543 Dec 17 17:13 README<\/pre>\n
\u4e09\u3001Nginx\u914d\u7f6eHttps<\/h2>\n
\u6839\u636e\u81ea\u5df1\u7f51\u7ad9\u914d\u7f6e\uff0c\u5bf9nginx\u6216apache\u8fdb\u884c\u914d\u7f6e\uff0c\u6a58\u7ea2\u8272\u4e3a\u6211\u65b0\u589e\u7684\uff0c
\n\u5173\u4e8ehttp\u91cd\u5b9a\u5411\u5230https\u6709\u591a\u79cd\u65b9\u5f0f\uff0c\u8fd9\u91cc\u4f7f\u7528rewrite\u91cd\u5b9a\u5411<\/p>\n
server {\r\n    listen 80;\r\n    server_name www.chenweikang.top chenweikang.top;\r\n    root \/home\/wordpress\/server;\r\n    index index.html index.htm index.php;\r\n    error_page 404  \/ERROR\/404.html;\r\n    #\u8bbf\u95eehttp\u65f6\u8df3\u91cd\u5b9a\u5411\u5230https<\/span>\r\n    if (-f $request_filename\/index.html){\r\n          rewrite (.*) https:\/\/$host$1\/index.html break;\r\n     }\r\n    if (-f $request_filename\/index.php){\r\n          rewrite (.*) https:\/\/$host$1\/index.php;\r\n     }\r\n    if (!-f $request_filename){\r\n      rewrite (.*) https:\/\/$host$1\/index.php;\r\n     }<\/span>\r\n   location ~ \\.php$ {\r\n     fastcgi_pass   127.0.0.1:9100;\r\n     fastcgi_index  index.php;\r\n     include        fastcgi.conf;\r\n   }\r\n}\r\n\r\nserver {\r\n   listen 443 ssl;\r\n   ssl on;\r\n   #\u6307\u5b9apem\u683c\u5f0f\u7684\u8bc1\u4e66\r\n   ssl_certificate \/etc\/letsencrypt\/live\/chenweikang.top\/fullchain.pem;\r\n   #\u6307\u5b9a\u79c1\u94a5\r\n   ssl_certificate_key  \/etc\/letsencrypt\/live\/chenweikang.top\/privkey.pem;\r\n   server_name www.chenweikang.top chenweikang.top;\r\n   root \/home\/wordpress\/server;\r\n   index index.html index.htm index.php;\r\n   error_page 404  \/ERROR\/404.html;\r\n    if (-f $request_filename\/index.html){\r\n          rewrite (.*) $1\/index.html break;\r\n     }\r\n\r\n    if (-f $request_filename\/index.php){\r\n          rewrite (.*) $1\/index.php;\r\n     }\r\n\r\n    if (!-f $request_filename){\r\n      rewrite (.*) $1\/index.php;\r\n     }\r\n   location ~ \\.php$ {\r\n     fastcgi_pass   127.0.0.1:9100;\r\n     fastcgi_index  index.php;\r\n     include        fastcgi.conf;\r\n   }\r\n}<\/span><\/pre>\n
\u91cd\u65b0\u52a0\u8f7dnginx\uff0c\u5c1d\u8bd5\u4f7f\u7528http\u8bbf\u95ee \uff0c\u82e5\u914d\u7f6e\u6b63\u786e\uff0c\u4f1a\u81ea\u52a8\u91cd\u5b9a\u5411\u5230https\"\"<\/a><\/p>\n
\u6700\u540e<\/h2>\n
Let's Encrypt \u6709\u6548\u671f\u4e3a90\u5929\uff0c\u6211\u4eec\u53ef\u4ee5\u521b\u5efa\u811a\u672c\u52a0\u5165\u5b9a\u65f6\u4efb\u52a1\uff0c\u81ea\u52a8\u751f\u6210\u5bc6\u94a5<\/strong><\/p>\n
\u7f16\u5199\u811a\u672c vim \/root\/createSSL.sh<\/p>\n
[root@iz2zeeuc8ed3wflgmb7rakz letsencrypt]# vim createSSL.sh \r\n#!\/bin\/bash\r\n\r\nlogDir=\"\/root\/createSSL.log\"\r\n\r\necho \"-------------\u91cd\u65b0\u751f\u6210\u8bc1\u4e66[\"`date`\"]--------\" >> $logDir\r\necho \"stop nginx : ok \" >> $logDir\r\n#\u505c\u6b62nginx\r\nsystemctl stop nginx >>  $logDir\r\n\r\necho \"\u751f\u6210\u8bc1\u4e66 :  \" >> $logDir\r\n\r\n#\u91cd\u65b0\u751f\u6210\u8bc1\u4e66\r\n\/software\/temp\/letsencrypt\/letsencrypt-auto certonly --renew-by-default  --standalone --email 354867750@qq.com -d chenweikang.top -d www.chenweikang.top >> $logDir\r\n\r\n\r\necho \"start nginx : ok \" >> $logDir\r\n#\u542f\u52a8nginx\r\nsystemctl start nginx >>  $logDir\r\n\r\necho \"--------------------------\u7ed3\u675f---------------------------\"  >> $logDir\r\n<\/pre>\n
\u522b\u5fd8\u4e86\u6743\u9650:<\/p>\n
chmod +x \/root\/createSSL.sh<\/span><\/p>\n
\u521b\u5efa\u5b9a\u65f6\u4efb\u52a1 crontab -e<\/p>\n
30 23 *\/60 * * expect \/root\/createSSL.sh\r\n<\/pre>\n
 <\/p>\n
\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1a\u5de6\u624b\u4ee3\u7801\u53f3\u624b\u8bd7<\/a> » \u4f7f\u7528SSL\u8bc1\u4e66\uff0c\u6446\u8131\u8fd0\u8425\u5546\u6d41\u91cf\u52ab\u6301\uff01<\/a><\/p>
\r\n            
\r\n                
~\u8c22\u8c22\u6253\u8d4f~<\/div>\r\n                
<\/div>
<\/div>
<\/div><\/div>\r\n