springboot项目获取certbot证书（完美运行）

若已经获取证书，请参考博客SpringBoot开启HTTPS
网站效果：www.ybear-web.com

方法一（推荐方法二）

获取证书思路以及安装流程

通过certbot获取证书，然后将证书进行jdk处理，放入springboot项目中

centos安装apache服务器

注意端口间的冲突问题，防火墙的开放问题

配置vhost帮助certbot完成认证

在httpd.conf中添加

Include conf/vhost/*.conf

或者运行

echo "Include conf/vhost/*.conf" >>httpd.conf

/etc/httpd/conf/vhost/ybear-web.com.conf

    ServerName www.ybear-web.com
    ServerAlias ybear-web.com *.ybear-web.com
    DocumentRoot "/var/www/ybear-web.com"
    ErrorLog "logs/ybear-web.com-error_log"
    CustomLog "logs/ybear-web.com-access_log" "%h %l %u %t \"%r\" %>s %b"
    
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    
RewriteEngine on
RewriteCond %{SERVER_NAME} =*.ybear-web.com [OR]
RewriteCond %{SERVER_NAME} =ybear-web.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

/etc/httpd/conf/vhost/ybear-web.com-le-ssl.conf

    ServerName ybear-web.com
    ServerAlias ybear-web.com *.ybear-web.com
    DocumentRoot "/var/www/ybear-web.com"
    ErrorLog "logs/ybear-web.com-error_log"
    CustomLog "logs/ybear-web.com-access_log" "%h %l %u %t \"%r\" %>s %b"
    
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    
SSLCertificateFile /etc/letsencrypt/live/ybear-web.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ybear-web.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/ybear-web.com/chain.pem

运行

httpd -t

检查是否是oK

获取.pem文件

/etc/letsencrypt/live/ybear-web.com-0001

方法二（推荐）

获取证书生成工具 certbot

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

获取证书

./certbot-auto certonly -d ybear-web.com -d *.ybear-web.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

上述有三个交互式的提示：

• 是否同意 Let’s Encrypt 协议要求
• 询问是否对域名和机器（IP）进行绑定
• 输入邮箱，给你发送一封验证邮件
• 确认同意才能继续。

继续查看命令行的输出，非常关键：

Please deploy a DNS TXT record under the name
_acme-challenge.你的域名 with the following value:

2_8KBE_jXH8nYZ2unEViIbW52LhIqxkg6i9mcwsRvhQ

Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification…
Cleaning up challenges

在域名配置处给 _acme-challenge.你的域名 配置一条 TXT 记录，在没有确认 TXT 记录生效之前不要回车执行。

然后输入下列命令确认 TXT 记录是否生效：

dig  -t txt  _acme-challenge.你的域名 @8.8.8.8

确认生效后，回车执行

恭喜您，证书申请成功

生成.p12文件(linux)

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat

.jks证书(jdk提供的bin下的keytool工具)

keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype pkcs12 -srcstorepass 123456 -alias tomcat

application.yml配置

server:
  port: 443
  ssl:
    key-store: MyDSKeyStore.jks
    key-store-password: 123456
    keyAlias: tomcat
    protocol: TLS
    key-password: 123456
    enabled: true
  max-http-header-size: 8192