最新消息:20210816 当前crifan.com域名已被污染,为防止失联,请关注(页面右下角的)公众号

【已解决】给Linode的CentOS的crifan.com添加https支持SSL

CentOS crifan 6018浏览 0评论

之前折腾:

【记录】从fzhost搬家crifan.com到Linode的Atlanta的VPS

后,期间让LNMP自动生成SSL:

【记录】Linode的CentOS中去初始化和配置LNMP

结果失败了:

Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.crifan.com
http-01 challenge for crifan.com
Using the webroot path /home/wwwroot/www.crifan.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.crifan.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.crifan.com/.well-known/acme-challenge/4IXUqR6devmWQPYOovfuizaNddZ72FgmLQIFmtDyeKU: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", crifan.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://crifan.com/.well-known/acme-challenge/S0KJCVsOxImUbRHVMR6q3xnPrDmF2-icl1Tu_D2BvGQ: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
IMPORTANT NOTES:
– The following errors were reported by the server:
   Domain: www.crifan.com
   Type:   unauthorized
   Detail: Invalid response from
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"
   Domain: crifan.com
   Type:   unauthorized
   Detail: Invalid response from
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
– Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
Let’s Encrypt SSL Certificate create failed!
================================================
Virtualhost infomation:
Your domain: www.crifan.com
Home Directory: /home/wwwroot/www.crifan.com
Rewrite: wordpress
Enable log: no
Database username: crifan_wp_db
Database userpassword: xxx
Database Name: crifan_wp_db
Create ftp account: no
Enable SSL: yes
  =>Let’s Encrypt
================================================
[root@crifan lnmp1.4]#

然后现在最好还是要去解决crifan.com的https的问题的原因是:

之前网站是已经添加了https的,所以现在

google中搜出来的帖子,都是自动跳转到https的地址了,比如:

所以如果不添加https的支持,网上很多地址,都无法打开了

-》只有我自己知道,而其他用户缺不知道,把https改为http就可以打开了。。。

看到上面错误的信息,感觉是:

之前由于还没有把域名弄过来,所以导致自动创建https的SSL证书时,去访问:

https://crifan.com/.well-known/acme-challenge/S0KJCVsOxImUbRHVMR6q3xnPrDmF2-icl1Tu_D2BvGQ

会失败,因为那时候

https://crifan.com

本身就无法打开。。。

-》所以现在可以打开的情况下,或许再去执行一遍,就可以了?

搜:

lnmp https

LNMP + Let’s Encrypt HTTPS 网站配置 – 简书

LNMP安装Let’s Encrypt 免费SSL证书方法:自动安装与手动配置Nginx | 免费资源部落

“二、LNMP自动安装Let’s Encrypt 注意地方

1、使用LNMP自动安装Let’s Encrypt ,因为涉及到要验证域名,所以请提前将你的域名解析到你的VPS主机上,这样才可以成功使用LNMP自动安装Let’s Encrypt 。”

LNMP一键包环境安装SSL安全证书且部署HTTPS网站URL过程 | 老左博客

lnmp ssl unauthorized Invalid response from

现在感觉可能有2种办法:

一是把之前fzhost中的crifan.com中的SSL证书拷贝过来,添加上去

二是重新用lnmp的ssl管理去重新自动生成SSL证书和相关配置

先去试试第二种

lnmp ssl

ssl – LNMP一键安装包

LNMP添加、删除虚拟主机及伪静态使用教程 – LNMP一键安装包

建议用户更新Let’sEncrypt SSL证书续期规则 – LNMP一键安装包

如果是此处重新添加SSL,正好可以避免升级的问题了。

LNMP下Nginx如何设置域名301重定向 – LNMP一键安装包

待会如果需要配置,再去参考该帖去更新配置。

LNMP V1.4一键快速部署Let’s Encrypt免费SSL证书 | 老左博客

[root@crifan www.crifan.com]# lnmp help
+——————————————-+
|    Manager for LNMP, Written by Licess    |
+——————————————-+
|              https://lnmp.org             |
+——————————————-+
Usage: lnmp {start|stop|reload|restart|kill|status}
Usage: lnmp {nginx|mysql|mariadb|php-fpm|pureftpd} {start|stop|reload|restart|kill|status}
Usage: lnmp vhost {add|list|del}
Usage: lnmp database {add|list|edit|del}
Usage: lnmp ftp {add|list|edit|del|show}
Usage: lnmp ssl add

去add 这个ssl试试:

[root@crifan www.crifan.com]# lnmp ssl add
+——————————————-+
|    Manager for LNMP, Written by Licess    |
+——————————————-+
|              https://lnmp.org             |
+——————————————-+
Please enter domain(example: www.lnmp.org):www.crifan.com
Your domain: www.crifan.com
Enter more domain name(example: lnmp.org *.lnmp.org): crifan.com
domain list: crifan.com
Please enter the directory for domain www.crifan.com: /home/wwwroot/www.crifan.com
Allow Rewrite rule? (y/n) y
Please enter the rewrite of programme,
wordpress,discuz,typecho,sablog,typecho rewrite was exist.
(Default rewrite: other): wordpress
You choose rewrite: wordpress
Allow access log? (y/n) n
Disable access log.
1: Use your own SSL Certificate and Key
2: Use Let’s Encrypt to create SSL Certificate and Key
Enter 1 or 2: 2
Please enter your email address: [email protected]
It will be processed automatically.
You select the exist rewrite rule:/usr/local/nginx/conf/wordpress.conf
Test Nginx configure file……
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reload Nginx……
/bin/certbot [found]
Starting create SSL Certificate use Let’s Encrypt…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.crifan.com
http-01 challenge for crifan.com
Using the webroot path /home/wwwroot/www.crifan.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.crifan.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.crifan.com/privkey.pem
   Your cert will expire on 2017-12-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
– If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
no crontab for root
Add Let’s encrypt crontab renew rule…
no crontab for root
Let’s Encrypt SSL Certificate create successfully.
Create dhparam.pem…
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
……………++*++*
Test Nginx configure file……
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reload Nginx……

然后貌似就可以了:

然后看看,的确有用于自动更新ssl证书的crontab了:

[root@crifan www.crifan.com]# crontab -l
0 3 */7 * * /bin/certbot renew –disable-hook-validation –renew-hook "/etc/init.d/nginx reload"

然后再去打开https,结果就可以打开了:

且此处是

在safari中输入crifan.com自动跳转到https

但是Chrome中没有自动跳转https

所以感觉还需要再去更新nginx的配置,强制跳转https

且:

safari和Chrome中都没有显示是加了锁的安全的网站:

对应的百度则是加了锁的:

后来看到了log中的提示:

即https的网站上,部分内容还是http加载的,所以不是完全的安全的,所以没有显示🔒的图标。

去重启LNMP后再去试试

[root@crifan www.crifan.com]# lnmp restart
+——————————————-+
|    Manager for LNMP, Written by Licess    |
+——————————————-+
|              https://lnmp.org             |
+——————————————-+
Stoping LNMP…
Stoping nginx…  done
Shutting down MySQL.. SUCCESS!
Gracefully shutting down php-fpm . done
Starting LNMP…
Starting nginx…  done
Starting MySQL.. SUCCESS!
Starting php-fpm  done

然后再去浏览器中看看效果:

问题依旧:

所以看来是需要301强制把http跳转为https了。

the page at was allowed to display insecure content from

lnmp 301 https

Nginx / LNMP 部署 SSL 证书并强制 301 重定向到 HTTPS – best66

Nginx rewrite 重定向自动识别 http/https – Coxxs

http跳转“https://”LNMP的301重定向设置 | 偶乃秋辰

官网自己就介绍了:

LNMP下Nginx如何设置域名301重定向 – LNMP一键安装包

server {
listen 443 ssl;
server_name www.lnmp.org;
省略其他配置
}
server {
listen 80;
server_name www.lnmp.org;
}

但是感觉有点麻烦,而这个:

LNMP V1.4一键快速部署Let’s Encrypt免费SSL证书 | 老左博客

中的做法,更省事,通过判断scheme为http就301到https

if ($scheme = http ) {
}

另外,这里也有检测80端口的去301的:

LNMP + Let’s Encrypt HTTPS 网站配置 – 简书

root /home/wwwroot/lzres.win;
# 在这儿把下面三行代码添加到文件中, 其他不用管
if ($server_port = 80 ) {
    return 301 https://$host$request_uri;
}

还是去使用scheme的方案试试:

先找到自己的conf文件:

[root@crifan crifan_wwwroot]# ls /usr/local/nginx/conf/
codeigniter.conf  ecshop.conf               fastcgi_params          mime.types.default  sablog.conf          typecho.conf          wp2.conf
dabr.conf         enable-php.conf           fastcgi_params.default  nginx.conf          scgi_params          uwsgi_params
dedecms.conf      enable-php-pathinfo.conf  koi-utf                 nginx.conf.default  scgi_params.default  uwsgi_params.default
discuz.conf       enable-ssl-example.conf   koi-win                 none.conf           shopex.conf          vhost
discuzx.conf      fastcgi.conf              laravel.conf            pathinfo.conf       ssl                  win-utf
drupal.conf       fastcgi.conf.default      mime.types              phpwind.conf        typecho2.conf        wordpress.conf
[root@crifan crifan_wwwroot]# ls /usr/local/nginx/conf/vhost/www.crifan.com.conf -lha
-rw-r–r– 1 root root 2.3K Sep  6 11:34 /usr/local/nginx/conf/vhost/www.crifan.com.conf

然后去编辑:

vi /usr/local/nginx/conf/vhost/www.crifan.com.conf

然后重启lnmp(或单独重启nginx)

[root@crifan crifan_wwwroot]# lnmp help
+——————————————-+
|    Manager for LNMP, Written by Licess    |
+——————————————-+
|              https://lnmp.org             |
+——————————————-+
Usage: lnmp {start|stop|reload|restart|kill|status}
Usage: lnmp {nginx|mysql|mariadb|php-fpm|pureftpd} {start|stop|reload|restart|kill|status}
Usage: lnmp vhost {add|list|del}
Usage: lnmp database {add|list|edit|del}
Usage: lnmp ftp {add|list|edit|del|show}
Usage: lnmp ssl add
[root@crifan crifan_wwwroot]# lnmp nginx restart
+——————————————-+
|    Manager for LNMP, Written by Licess    |
+——————————————-+
|              https://lnmp.org             |
+——————————————-+
Stoping nginx…  done
Starting nginx…  done

然后去浏览器中输入:

www.crifan.com

crifan.com

看看是否会跳转到https开头的地址

Safari

果然自动跳转到https://www.crifan.com了:

【总结】

在安装好LNMP后,之前由于DNS域名没有解析到新服务器地址,所以添加虚拟主机期间自动生成ssl失败了。

现在需要重新添加ssl的话,其实很简单:

1.通过lnmp自动添加ssl证书

lnmp ssl add

然后按照提示去输入对应的

www.crifan.com

crifan.com

允许rewrite,输入y

默认rewriter为:wordpress

选择2(使用Let’s Encrypt)去自动生成ssl证书和密钥

再输入自己的邮箱地址,即可自动生成SSL

2.对于SSL证书,默认6个月就过期了,需要续期。

其内部自动会使用crontab去定期更新SSL证书。

所以此处再去确认更新ssl证书的脚本的确正常运行了:

crontab -l

确认的确已经存在了certbot renew即可。

3.如果想要

输入

www.crifan.com

crifan.com

自动跳转到:

https://www.crifan.com

的话,则去设置301自动跳转。

办法有很多,最简单的一种是:

编辑自己的虚拟主机的nginx的配置文件:

vi /usr/local/nginx/conf/vhost/www.crifan.com.conf

对于本身已经设置好的:

监听80端口的http

(下面还有监听304端口的https)

中的配置中,在:

root  /home/wwwroot/www.crifan.com;

之后,添加:

        if ($scheme = http) {
            return 301 https://$host$request_uri;
        }

含义说明:

如果是http的访问,则自动301跳转到https的地址,host是主机地址,此处就是www.crifan.com,request_uri是对应的请求的地址,比如

当访问:

https://www.crifan.com/webpack_dev_server_open_home_page_cannot_get_slash_undefined/

则request_uri就是:webpack_dev_server_open_home_page_cannot_get_slash_undefined

变成:

server
    {
        listen 80;
        #listen [::]:80;
        server_name www.crifan.com crifan.com;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/www.crifan.com;
        if ($scheme = http) {
            return 301 https://$host$request_uri;
        }
        include wordpress.conf;
。。。。
}
server
    {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name www.crifan.com crifan.com;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/www.crifan.com;
        ssl on;
。。。。
}

即可。

转载请注明:在路上 » 【已解决】给Linode的CentOS的crifan.com添加https支持SSL

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
82 queries in 0.235 seconds, using 22.26MB memory