Centos下免费开启https服务 - Nginx

摘要：超文本传输安全协议英语，缩写，常称为，或是一种透过计算器网上进行安全通信的传输协议。超文本传输安全协议为什么要开启安全性开启免费服务我们今天介绍的免费签名平台是，安装过程以为例，如果你使用了其他系统或其他服务类型可前往查看相应部署方法。

超文本传输安全协议（英语：Hypertext Transfer Protocol Secure，缩写：HTTPS，常称为HTTP over TLS，HTTP over SSL或HTTP Secure）是一种透过计算器网上进行安全通信的传输协议。HTTPS经由HTTP进行通信，但利用SSL/TLS来加密数据包。HTTPS开发的主要目的，是提供对网站服务器的身份认证，保护交换数据的隐私与完整性。这个协议由网景公司（Netscape）在1994年首次提出，随后扩展到互联网上。—— 超文本传输安全协议 from WIKI

我们今天介绍的免费签名平台是Let"s Encrypt，安装过程以CentOS 7 + Nginx为例，如果你使用了其他系统或其他服务类型可前往Certbot查看相应部署方法。

提示：如果你在使用RHEL on EC2，你可以运行以下代码来开启选项通道（optional channel）：
$ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-> server-optional

开启选项通道后运行下面代码安装Certbot：

$ sudo yum install python2-certbot-nginx

给Certbot安装Nginx插件：

$ sudo certbot --nginx

运行这个命令会自动为你获取证书，并且Certbot会自动配置你的Nginx以提供服务。如果你想要手动修改Nginx配置可以使用certonly子命令：

$ sudo certbot --nginx certonly

执行自动配置命令后命令行输出下文：

# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter "c" to
cancel): [ email@example.com ]

提示你输入接收紧急更新和安全提示的邮箱，

输入邮箱键入回车进入下一步（输入"c"并回车放弃设置该邮箱）。

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 

要求阅读协议，输入A同意该协议并继续。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let"s Encrypt project and the non-profit
organization that develops Certbot? We"d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

询问邮箱是否接受广告，输入N拒绝并继续。

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter "c" to cancel): 

输入你的域名（例如：example.me）并继续。

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.me
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you"re confident your site works on HTTPS. You can undo this
change by editing your web server"s configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press "c" to cancel): 

选择是否将http请求重定向至https，输入1不改变当前服务器配置（不重定向），输入2将自动配置所有http请求的重定向。

既然我们要开启https服务就输入2并继续。

Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.me

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.me/privkey.pem
   Your cert will expire on 2019-02-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let"s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

出现以上提示就说明配置成功啦，赶快去访问一下试试吧。