Nginx开启SSL支持https

本文教程使用了Let’s Encrypt免费证书

先检查Nginx的配置

执行 nginx -V

-bash-4.2# nginx -V
nginx version: nginx/1.15.8
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

检查配置里是否有--with-http_ssl_module

保证你申请SSL的域名和服务器的IP是一致的，即域名确实是解析到你的服务器上的，可以使用nslookup命令查询。

执行 nslookup www.yourwebsite.com

如果提示-bash: nslookup: command not found ，则需要执行下面的命令

yum install bind-utils

-bash-4.2# yum install bind-utils
...
Installed:
  bind-utils.x86_64 32:9.9.4-73.el7_6                                                                                                                                  

Dependency Installed:
  bind-libs.x86_64 32:9.9.4-73.el7_6                                                                                                                                   

Complete!

安装完成在执行nslookup www.yourwebsite.com

-bash-4.2# nslookup pangge.info
Server:		xxx.xxx.xxx.xxx
Address:	xxx.xxx.xxx.xxx#xx

Non-authoritative answer:
Name:	xxxxx.xxxx				<--- 检查这个是否和你的域名一致
Address: xx.xxx.xxx.xxx			<--- 这个检查是否和你服务器的IP一致

Let’s Encrypt在给你分配证书时，会检查你所在的服务器是否和域名解析的服务器一致。

安装git和bc，yum install -y git bc

执行 yum -y install yum-utils

执行 yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

执行 yum install certbot python2-certbot-nginx

执行 yum install -y git python27

执行 yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel

执行 yum install python-argparse

执行 service nginx stop

执行 certbot --nginx certonly --standalone -email [email protected] -d pangge.info

如果看到下面的错误提示，可以执行pip install requests urllib3 pyOpenSSL --force --upgrade

-bash-4.2# certbot --nginx certonly --standalone -email [email protected] -d pangge.info
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in 
    load_entry_point('certbot==0.30.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2751, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2405, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2411, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 18, in 
    from certbot import account
  File "/usr/lib/python2.7/site-packages/certbot/account.py", line 18, in 
    from acme import messages
  File "/usr/lib/python2.7/site-packages/acme/messages.py", line 8, in 
    from acme import challenges
  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 12, in 
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in 
    from . import utils
  File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in 
    from .exceptions import InvalidURL
  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in 
    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
    raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'

执行pip install requests urllib3 pyOpenSSL --force --upgrade

-bash-4.2# pip install requests urllib3 pyOpenSSL --force --upgrade
Collecting requests
  Downloading https://files.pythonhosted.org/packages/7d/e3/20f3d364d6c8e5d2353c72a67778eb189176f08e873c9900e10c0287b84b/requests-2.21.0-py2.py3-none-any.whl (57kB)
    100% |████████████████████████████████| 61kB 19kB/s 
Collecting urllib3
  Downloading https://files.pythonhosted.org/packages/62/00/ee1d7de624db8ba7090d1226aebefab96a2c71cd5cfa7629d6ad3f61b79e/urllib3-1.24.1-py2.py3-none-any.whl (118kB)
    100% |████████████████████████████████| 122kB 24kB/s 
Collecting pyOpenSSL
  Downloading https://files.pythonhosted.org/packages/01/c8/ceb170d81bd3941cbeb9940fc6cc2ef2ca4288d0ca8929ea4db5905d904d/pyOpenSSL-19.0.0-py2.py3-none-any.whl (53kB)
    100% |████████████████████████████████| 61kB 17kB/s 
Collecting chardet<3.1.0,>=3.0.2 (from requests)
  Downloading https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl (133kB)
    100% |████████████████████████████████| 143kB 28kB/s 
Collecting idna<2.9,>=2.5 (from requests)
  Downloading https://files.pythonhosted.org/packages/14/2c/cd551d81dbe15200be1cf41cd03869a46fe7226e7450af7a6545bfc474c9/idna-2.8-py2.py3-none-any.whl (58kB)
    100% |████████████████████████████████| 61kB 19kB/s 
Collecting certifi>=2017.4.17 (from requests)
  Downloading https://files.pythonhosted.org/packages/9f/e0/accfc1b56b57e9750eba272e24c4dddeac86852c2bebd1236674d7887e8a/certifi-2018.11.29-py2.py3-none-any.whl (154kB)
    100% |████████████████████████████████| 163kB 19kB/s 
Collecting cryptography>=2.3 (from pyOpenSSL)
  Downloading https://files.pythonhosted.org/packages/17/fd/4c2c8953a9dfe38fbe0c3adafb6355540bd98cef70cc82734acb0a4c0e2f/cryptography-2.5-cp27-cp27mu-manylinux1_x86_64.whl (2.4MB)
    100% |████████████████████████████████| 2.4MB 27kB/s 
Collecting six>=1.5.2 (from pyOpenSSL)
  Downloading https://files.pythonhosted.org/packages/73/fb/00a976f728d0d1fecfe898238ce23f502a721c0ac0ecfedb80e0d88c64e9/six-1.12.0-py2.py3-none-any.whl
Collecting enum34; python_version < "3" (from cryptography>=2.3->pyOpenSSL)
  Downloading https://files.pythonhosted.org/packages/c5/db/e56e6b4bbac7c4a06de1c50de6fe1ef3810018ae11732a50f15f62c7d050/enum34-1.1.6-py2-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography>=2.3->pyOpenSSL)
  Downloading https://files.pythonhosted.org/packages/ea/cd/35485615f45f30a510576f1a56d1e0a7ad7bd8ab5ed7cdc600ef7cd06222/asn1crypto-0.24.0-py2.py3-none-any.whl (101kB)
    100% |████████████████████████████████| 102kB 10kB/s 
Collecting cffi!=1.11.3,>=1.8 (from cryptography>=2.3->pyOpenSSL)
  Downloading https://files.pythonhosted.org/packages/9f/1f/f825741ebadb8497d1c3ec954062f1e09e97881618eecc9ef7c5c7ff8bbb/cffi-1.12.1-cp27-cp27mu-manylinux1_x86_64.whl (413kB)
    100% |████████████████████████████████| 419kB 49kB/s 
Collecting ipaddress; python_version < "3" (from cryptography>=2.3->pyOpenSSL)
  Downloading https://files.pythonhosted.org/packages/fc/d0/7fc3a811e011d4b388be48a0e381db8d990042df54aa4ef4599a31d39853/ipaddress-1.0.22-py2.py3-none-any.whl
Collecting pycparser (from cffi!=1.11.3,>=1.8->cryptography>=2.3->pyOpenSSL)
  Downloading https://files.pythonhosted.org/packages/68/9e/49196946aee219aead1290e00d1e7fdeab8567783e83e1b9ab5585e6206a/pycparser-2.19.tar.gz (158kB)
    100% |████████████████████████████████| 163kB 13kB/s 
Installing collected packages: urllib3, chardet, idna, certifi, requests, enum34, asn1crypto, pycparser, cffi, six, ipaddress, cryptography, pyOpenSSL
  Found existing installation: urllib3 1.22
    Uninstalling urllib3-1.22:
      Successfully uninstalled urllib3-1.22
  Found existing installation: chardet 3.0.4
    Uninstalling chardet-3.0.4:
      Successfully uninstalled chardet-3.0.4
  Found existing installation: idna 2.4
    Uninstalling idna-2.4:
      Successfully uninstalled idna-2.4
  Found existing installation: certifi 2017.7.27.1
    Uninstalling certifi-2017.7.27.1:
      Successfully uninstalled certifi-2017.7.27.1
  Found existing installation: requests 2.6.0
    DEPRECATION: Uninstalling a distutils installed project (requests) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
    Uninstalling requests-2.6.0:
      Successfully uninstalled requests-2.6.0
  Found existing installation: enum34 1.0.4
    DEPRECATION: Uninstalling a distutils installed project (enum34) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
    Uninstalling enum34-1.0.4:
      Successfully uninstalled enum34-1.0.4
  Found existing installation: pycparser 2.14
    Uninstalling pycparser-2.14:
      Successfully uninstalled pycparser-2.14
  Running setup.py install for pycparser ... done
  Found existing installation: cffi 1.6.0
    Uninstalling cffi-1.6.0:
      Successfully uninstalled cffi-1.6.0
  Found existing installation: six 1.9.0
    Uninstalling six-1.9.0:
      Successfully uninstalled six-1.9.0
  Found existing installation: ipaddress 1.0.16
    DEPRECATION: Uninstalling a distutils installed project (ipaddress) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
    Uninstalling ipaddress-1.0.16:
      Successfully uninstalled ipaddress-1.0.16
  Found existing installation: cryptography 1.7.2
    Uninstalling cryptography-1.7.2:
      Successfully uninstalled cryptography-1.7.2
  Found existing installation: pyOpenSSL 0.13.1
    DEPRECATION: Uninstalling a distutils installed project (pyOpenSSL) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
    Uninstalling pyOpenSSL-0.13.1:
      Successfully uninstalled pyOpenSSL-0.13.1
Successfully installed asn1crypto-0.24.0 certifi-2018.11.29 cffi-1.12.1 chardet-3.0.4 cryptography-2.5 enum34-1.1.6 idna-2.8 ipaddress-1.0.22 pyOpenSSL-19.0.0 pycparser-2.19 requests-2.18.4 six-1.12.0 urllib3-1.24.1
You are using pip version 8.1.2, however version 19.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

执行 pip install requests==2.6.0

-bash-4.2# certbot --nginx certonly -d pangge.info
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pangge.info
Using default address 80 for authentication.
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/pangge.info/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/pangge.info/privkey.pem
   Your cert will expire on 2019-05-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

执行yum install openssl

到这里，需要的环境就配置好了，现在开始配置Nginx

请记住这个目录/etc/letsencrypt/live/域名，一会需要用到它

修改nginx配置文件，我这里是在/etc/nginx/nginx.conf这个目录下，有一个default.conf文件。

对照下面修改它

server {
    listen       80;
    server_name  localhost;

    return 301 https://pangge.info$request_uri;
}
server {
    listen       443;
    server_name  localhost;

    ssl                  on;
    ssl_certificate     /etc/letsencrypt/live/pangge.info/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/pangge.info/privkey.pem;
    #ssl_client_certificate ca.crt;#双向认证
    #ssl_verify_client on; #双向认证

    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:8080
    #
    location ~ \.php$ {
        proxy_pass   http://127.0.0.1:8080;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

然后现在就实现全站开启SSL，也就是只能通过https来访问域名了。