[root@ImmenseGargantuan-VM certbot]# ./certbot-auto certonly --email kf@kaifashuo.com --agree-tos --no-eff-email --webroot -w /home/kaifashuo -d kaifashuo.com -d kaifashuo.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kaifashuo.com
http-01 challenge for kaifashuo.com
Using the webroot path /home/kaifashuo for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. kaifashuo.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kaifashuo.com/.well-known/acme-challenge/SRzxeQBHFnYjbPFRC9PsoMaUYSxd2gNaFBI5obt9DSI: Connection refused, kaifashuo.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kaifashuo.com/.well-known/acme-challenge/xJlFrUFHPaJNlKxXgPlKuF_q9lXhAy-KFvVy-RFp35Y: Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: kaifashuo.com
Type: connection
Detail: Fetching
http://kaifashuo.com/.well-known/acme-challenge/SRzxeQBHFnYjbPFRC9PsoMaUYSxd2gNaFBI5obt9DSI:
Connection refused
Domain: kaifashuo.com
Type: connection
Detail: Fetching
http://kaifashuo.com/.well-known/acme-challenge/xJlFrUFHPaJNlKxXgPlKuF_q9lXhAy-KFvVy-RFp35Y:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
既然报错就要解决,删除所有certbot和letsencrypt的文件,重新安装certbot。
[root@ImmenseGargantuan-VM certbot]# rpm -qa |grep letsencrypt
[root@ImmenseGargantuan-VM certbot]# rpm -qa |grep certbot
[root@ImmenseGargantuan-VM certbot]# ll /etc/letsencrypt/
total 12
drwx------ 3 root root 4096 Oct 10 22:26 accounts
drwxr-xr-x 2 root root 4096 Oct 10 22:26 renewal
drwxr-xr-x 5 root root 4096 Oct 10 22:26 renewal-hooks
[root@ImmenseGargantuan-VM certbot]# find / -name letsencrypt
/opt/eff.org/certbot/venv/bin/letsencrypt
/opt/eff.org/certbot/venv/lib/python2.7/site-packages/letsencrypt
/root/.local/share/letsencrypt
/var/log/letsencrypt
/var/lib/letsencrypt
/etc/letsencrypt
[root@ImmenseGargantuan-VM certbot]# rm -rf /opt/eff.org/certbot/venv/bin/letsencrypt /opt/eff.org/certbot/venv/lib/python2.7/site-packages/letsencrypt /root/.local/share/letsencrypt /var/log/letsencrypt /var/lib/letsencrypt /etc/letsencrypt
[root@ImmenseGargantuan-VM certbot]# find / -name letsencrypt
[root@ImmenseGargantuan-VM certbot]# find / -name certbot
/opt/eff.org/certbot
/opt/eff.org/certbot/venv/bin/certbot
/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot
/usr/local/src/certbot
/usr/local/src/certbot/certbot
[root@ImmenseGargantuan-VM certbot]# rm -rf /opt/eff.org/certbot /opt/eff.org/certbot/venv/bin/certbot /opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot /usr/local/certbot/
重新克隆安装cerbot
[root@ImmenseGargantuan-VM src]# git clone https://github.com/certbot/certbot.git (克隆cerbot源文件)
Cloning into 'certbot'...
remote: Counting objects: 49913, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 49913 (delta 14), reused 16 (delta 7), pack-reused 49882
Receiving objects: 100% (49913/49913), 15.47 MiB | 5.65 MiB/s, done.
Resolving deltas: 100% (35736/35736), done.
[root@ImmenseGargantuan-VM src]# cd certbot/
[root@ImmenseGargantuan-VM certbot]# ./certbot-auto certonly --standalone --email kf@kaifashuo.com -d kaifashuo.com -d kaifashuo.com
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: pubmirrors.dal.corespace.com
* elrepo: repos.lax-noc.com
* epel: mirror.hmc.edu
* extras: mirror.keystealth.org
* updates: mirror.sjc02.svwh.net
Package gcc-4.8.5-16.el7.x86_64 already installed and latest version
Package augeas-libs-1.4.0-2.el7_4.1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-8.el7.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-8.el7.x86_64 already installed and latest version
Package libffi-devel-3.0.13-18.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-76.el7.centos.noarch already installed and latest version
Package ca-certificates-2017.2.14-71.el7.noarch already installed and latest version
Package python-2.7.5-58.el7.x86_64 already installed and latest version
Package python-devel-2.7.5-58.el7.x86_64 already installed and latest version
Package python-virtualenv-1.10.1-4.el7.noarch already installed and latest version
Package python-tools-2.7.5-58.el7.x86_64 already installed and latest version
Package python2-pip-8.1.2-5.el7.noarch already installed and latest version
Nothing to do
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a (同意使用条款TOS)
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n (是否接受邮件之类的东东)
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for kaifashuo.com
tls-sni-01 challenge for kaifashuo.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:(此处如果是Congratulations 代表安装成功)
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/kaifashuo.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/kaifashuo.com/privkey.pem
Your cert will expire on 2018-01-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
配置nginx配置文件
[root@ImmenseGargantuan-VM ~]# cat /etc/nginx/conf.d/kaifashuo.conf
server {
listen 80 default_server;
server_name kaifashuo.com kaifashuo.com;
return 301 https://www.kaifashuo.com$request_uri;
}
server {
listen 443 ssl http2 default_server;
server_name kaifashuo.com kaifashuo.com;
ssl_certificate /etc/letsencrypt/live/kaifashuo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kaifashuo.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/kaifashuo.com/chain.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_tickets on;
resolver 223.5.5.5 223.6.6.6;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
return 444;
}
location / {
root /home/kaifashuo
;
index index.php index.html index.htm;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php$1 last;
}
}
location ~* \.(eot|otf|ttf|woff|woff2|svg)$ {
root /home/kaifashuo;
add_header Access-Control-Allow-Origin *;
}
location ~* .(ico|gif|bmp|jpg|jpeg|png|swf|js|css|mp3) {
root /home/kaifashuo;
expires 30d;
}
# location ~ \.php$ {
location ~ .*\.php(\/.*)*$ {
# root /home/kaifashuo;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/dev/shm/php7-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /home/kaifashuo$fastcgi_script_name;
include fastcgi_params;
}
}
去ssllabs 验证https配置的安全评分,我的是A+

还没有任何评论,你来说两句吧