Use a free SSL certificate to enable HTTPS access to your site

We use server is within the company, with China unicom to send IP, reference to make the network can access through a router, we set up a number of tools in the server, such as Gitlab, chat tools, network backup, etc., access is very troublesome, not for the record, and access the corresponding service must be upper slogan, port 80 is said to have been closed, If you use HTTPS, you can default to port 443. If you use HTTPS, the default browser will give you port 443. The following is an SSL certificate provided by Let’s Encrypt.

Tutorial archived on my Github welcome corrections and Star

Install EPEL warehouse

First, install the Let’s Encrypt certificate tool, which can be found in the CentOS EPEL repository. Before finding it, check whether the EPEL source exists:

The file name is EPEL. Repo
cd /etc/yum.repos.d/
Copy the code

If no, install it directly

sudo yum install epel-release -y
Copy the code

Install the certificate issuing tool

sudo yum install certbot-nginx -y
Copy the code

To apply for the certificate

No error reported with nginx command

sudo certbot --nginx
# Saving debug log to /var/log/letsencrypt/letsencrypt.log
# The nginx plugin is not working; there may be problems with your existing configuration.
# The error was: NoInstallationError()
# If you report the above error, run the following command to resolve the problem
which nginx # check directory
# output/usr/local/nginx/sbin/nginx
yum info nginx
Copy the code

The solution

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
ln -s /usr/local/nginx/conf/ /etc/nginx
Copy the code

Nginx configuration file directory error

sudo certbot --nginx
# Saving debug log to /var/log/letsencrypt/letsencrypt.log
# Error while running nginx -c /etc/nginx/nginx.conf -t.

# nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)
# nginx: configuration file /etc/nginx/nginx.conf test failed

# The nginx plugin is not working; there may be problems with your existing configuration.
# The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)
Copy the code

The workaround is to make Certbot think that your configuration exists, write the SSL configuration to your nginx configuration file, and copy the configuration to your default nginx configuration. Certbot doesn’t need to specify a directory for nginx to start.

# nginx default configuration file directory not in /etc/nginx/ directory,
/usr/local/nginx/conf
Copy to /etc/nginx/ directory
cp -r /usr/local/nginx/conf/* /etc/nginx/

Change all directories to /etc/nginx/
vim /lib/systemd/system/nginx.service
cp /lib/systemd/system/nginx.service{,.bak}

Verify that the configuration is correct
nginx -t -c /etc/nginx/nginx.conf
Copy the code

Once correct, copy the SSL configuration in nginx to your original running configuration and configure /usr/local/nginx/conf/ in the default installation directory. The following is generated in the configuration, mainly to copy this.

{
  ssl_certificate /etc/letsencrypt/live/chat.wangchujiang.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/chat.wangchujiang.com/privkey.pem; # managed by Certbot
}
Copy the code

Formal application Application certificate

First run the certificate generation command and select the site for which you want to configure SSL certificates, based on the fact that your site is already configured in Nginx.

sudo certbot --nginx certonly
# Saving debug log to /var/log/letsencrypt/letsencrypt.log
# Plugins selected: Authenticator nginx, Installer nginx
# Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
# 
# Which names would you like to activate HTTPS for?
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -
# 1: chat.wangchujiang.com
# 2: g.wangchujiang.com
# 3: pan.wangchujiang.com
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -
# Select the appropriate numbers separated by commas and/or spaces, or leave input
# blank to select all options shown (Enter 'c' to cancel): 2
Copy the code

In the preceding example, g.wangchujiang.com is selected to generate the certificate. The following is the verification process. If certonly is added, only the certificate is generated.

# Obtaining a new certificate
# Performing the following challenges:
# tls-sni-01 challenge for g.wangchujiang.com
# Waiting for verification...
# Cleaning up challenges
# 
# IMPORTANT NOTES:
# - Congratulations! Your certificate and chain have been saved at:
# /etc/letsencrypt/live/g.wangchujiang.com/fullchain.pem
# Your key file has been saved at:
# /etc/letsencrypt/live/g.wangchujiang.com/privkey.pem
# Your cert will expire on 2018-03-13. To obtain a new or tweaked
# version of this certificate in the future, simply run certbot
# again. To non-interactively renew *all* of your certificates, run
# "certbot renew"
# - If you like Certbot, please consider supporting our work by:
# 
# Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
# Donating to EFF: https://eff.org/donate-le
Copy the code

Now you can add it to your nginx configuration. Here is an example of an nginx configuration.

Configure nginx

HTTP redirects to HTTPS
server {
    listen       80;
    server_name  g.wangchujiang.com;
    rewrite ^ https://$http_host$request_uri? permanent;
    # Enables or disables emitting nginx version on error pages and in the "Server" response header field.
    server_tokens off;
}
# HTTPS configuration
server {
  listen       443 ssl;
  server_name  g.wangchujiang.com;

  ssl_certificate /etc/letsencrypt/live/g.wangchujiang.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/g.wangchujiang.com/privkey.pem;
  # Disallow the server version in the header to prevent hackers from exploiting the version vulnerability
  server_tokens off;
  Set the type and size of the SSL/TLS session cache. If you set this parameter to shared, buildin may take memory fragmentation, which defaults to None, similar to off, to disable caching. For example, shared:SSL:10m means that all of my Nginx worker processes share an SSL session cache. According to the official website, 1M can hold about 4000 sessions.
  ssl_session_cache    shared:SSL:1m; 

  The client can reuse the expiration time of SSL parameters in the session cache. The default 5 minutes is too short for the Intranet system. You can set it to 30 minutes or even 4h.
  ssl_session_timeout  5m; 

  # Select encryption suite, the suite (and order) supported by different browsers may be different.
  OpenSSL -v cipher 'RC4:HIGH:! aNULL:! MD5' (followed by the suite encryption algorithm you specify) to see the supported algorithms.
  ssl_ciphersHIGH:! aNULL:! MD5;When setting up the negotiation encryption algorithm, use our server encryption suite first, not the client browser encryption suite.
  ssl_prefer_server_ciphers  on;

  location / {
    root   html;
    indexindex.html index.htm; }}Copy the code