certbot证书安装--nginx

在python2.7的基础之上
使用certbot来安装网站证书支持https
官网教程 https://certbot.eff.org/
安装包 wget https://dl.eff.org/certbot-auto
nginx 网站下
首先得有virtualhost 配置虚拟站点，启用Namevirtualhost，监听433端口
nginx采用的yum安装
在conf.d目录下 有 default.conf ssl.conf virtual.conf
先创建站点 abc.wang.com 多个站点123.wang.com同目录

vim virtual.conf
    server {
        listen       8000;
        listen 443 ssl; # managed by Certbot
        server_name  abc.wang.com 123.wang.com；#多个域名用空格隔开
        ssl_certificate /etc/letsencrypt/live/abc.wang.com/fullchain.pem; # managed by Certbot  #1
        ssl_certificate_key /etc/letsencrypt/live/abc.wang.com/privkey.pem; # managed by Certbot#2 在certbot环节中会自动创建增加
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
        if ($server_port = "8000") { return 301 https://$server_name/$request_uri; } #此条添加为跳转https
        location / {
            root   /var/www/html/nginx;
            index  index.html index.htm;
        }
    
    }

./certbot --nginx certonly
安装证书完成后，在/etc/letsencrypt/live/目录下会有个abc.wang.com目录

cd /etc/letsencrypt/live/abc.wang.com/
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

此时证书的安装部分完成
在nginx的配置中加载证书
此时需要启用ssl.conf 注释取消掉，修改证书的正确路径

vim ssl.conf
#
# HTTPS server configuration
#

server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl;
    server_name  abc.wang.com;
    root         /var/www/html/wang;

    ssl_certificate /etc/letsencrypt/live/abc.wang.com/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/abc.wang.com/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
#
#    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;
#
    location / {
    }
#
#    error_page 404 /404.html;
#        location = /40x.html {
#    }
#
#    error_page 500 502 503 504 /50x.html;
#        location = /50x.html {
#    }
}

此时还需要添加一条重写规则，让http的访问跳转到https上面来
修改virtual配置文件

在server中添加

if ($server_port = "8000") { return 301 https://$server_name/$request_uri; }

查看虚拟目录的加载文件情况

nginx -t -D DUMP_VHOSTS