给小站弄HTTPS的踩坑过程
碎碎念
其实小站的HTTPS在去年就已经弄好了,整个过程的总结(踩坑)在那时候就已经大致写好,但是由于那时候忙于学校的课程,所以一直没发布上小站。(∵)nnn
我选择用的是Let’s Encrypt的证书来弄的HTTPS。(Let’s Encrypt 是一个于2015年推出的数字证书认证机构,将通过旨在消除当前手动创建和安装证书的复杂过程的自动化流程,为安全网站提供免费的SSL/TLS证书。)
想要为网站安装这个证书,只需要使用电子子前哨基金会EFF的Certbot,就可以完成。
当你进入Certbot的官网后,选择你网站所在服务器的服务器程序和系统类型,它就会展现出对应的安装过程。
本来我想按照这个教程,直接复制粘贴进去就没事了吧?然而是真是太天真了(∵)nnn。
在这个过程中,弹出了各种错误,然后就有了下面的记录。
踩坑过程
流程参考网站:
总的来说就是:在服务器中,先安装Certbot,然后通过Certbot来安装Let’s Encrypt的证书并应用到你的网站上。
但是,在安装Certbot的过程中,可能会遇到这些问题:
问题1:报nginx命令不存在错误
在输入:sudo certbot –nginx时,出现错误:
# Saving debug log to /var/log/letsencrypt/letsencrypt.log # The nginx plugin is not working; there may be problems with your existing configuration. # The error was: NoInstallationError()
但解决了上面那个问题后,又出现了下面的问题。
问题2:缺少–with-http_ssl_module
在输入:sudo certbot –nginx时,出现错误:
# Saving debug log to /var/log/letsencrypt/letsencrypt.log # The nginx plugin is not working; there may be problems with your existing configuration. # The error was: PluginError('Nginx build is missing SSL module (--with-http_ssl_module).',)
提示这个错误是因为目前nginx缺少–with-http_ssl_module这个模块,我们要添加这个模块。
要为nginx添加新模块就要重新编译nginx。步骤大致如下:
- 找到你安装nginx的原目录
- 进入目录,输入命令:./configure –prefix=/usr/local/nginx –with-http_ssl_module
- 然后是编译:输入命令 make
- 用新版本Nginx可执行程序覆盖旧版本可执行程序:sudo cp objs/nginx /usr/local/nginx/sbin/nginx
- 输入nginx -V ,应该可以看到configure arguments中有–with-http_ssl_module了
- 重启nginx
以上步骤参考了:
给已经编译安装了的nginx添加模块
添加模块
(这里要注意:原文中有个地方错了”–with_http_ssl_module”应该改成”–with-http_ssl_module”;)
问题3:解决了上面两个问题后,现在可以运行certbot了,然是又出现问题了。在为我的域名上https的时候出现了错误:
Failed authorization procedure. allenmind.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused IMPORTANT NOTES: - The following errors were reported by the server: Domain: allenmind.cn Type: connection Detail: Connection refused To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
解决方法:
- 出现这个错误很有可能是你的nginx正在服务,你要暂停掉你的nginx服务器(./nginx -s stop)!!!!(我在这里懵b了好久啊!!!!)
- 如果还不行,有可能是防火墙的问题。解决方法:去开启防火墙,然后开启80和443端口(看问题4)
问题4:FirewallD is not running
解决方法参考1
开启443端口:firewall-cmd –zone=public –add-port=443/tcp –permanent
开启80端口:firewall-cmd –zone=public –add-port=80/tcp –permanent
问题5:
Failed authorization procedure. allenmind.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data IMPORTANT NOTES: - The following errors were reported by the server: Domain: allenmind.cn Type: connection Detail: Error getting validation data To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
问题6:配置nginx.conf
不用怎么配置,因为certbot已经帮你搞好了,你会发现你的 nginx.conf 文件 ,你可以发现你的文件中的 server 配置中可能被做了如下的修改:
listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/coolshell.cn/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/coolshell.cn/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot # Redirect non-https traffic to https if ($scheme != "https") { return 301 https://$host$request_uri; } # managed by Certbot
问题7:
如果碰到错误
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
解决方法:
使用命令关闭占用80、443端口的程序
sudo fuser -k 80/tcp
sudo fuser -k 443/tcp