nginx 配置lets Encrypt永久免費SSL證書過程教程
阿新 • • 發佈:2018-11-21
雲服務商:阿里雲
伺服器:針對Nginx伺服器;
假設域名:example.com www.example.com
假設IP:137.137.137.137
1,先安裝nginx伺服器
sudo apt-get install nginx sudo service nginx start
2,安裝letsencrypt
sudo apt-get install letsencrypt
3,簽發證書
很簡單,直接執行letsencrypt命令即可
sudo letsencrypt certonly --webroot -w /var/www/html -d example.com -d www.example.com
4,git clone專案
首先安裝git 和bc ,並從github上將程式碼克隆到本地
sudo git clone https://github.com/certbot/certbot /opt/certbot-master
5,安裝依賴 ---這裡指的是centeros
sudo /opt/certbot-master/letsencrypt-auto --help –standalone –email 郵箱地址(郵箱地址是用來接收緊急通知和找回金鑰的) –d 域名
中間會出現介面驗證你的郵箱地址是否有效
命令完成後,最新版本的證書位置:/etc/letsencrypt/live/域名
cert.pem 申請的伺服器證書檔案
privkey.pem 伺服器證書對應的私鑰
chain.pem 除伺服器證書外,瀏覽器解析所需的其他全部證書,比如根證書和中間證書
fullchain.pem 包含伺服器證書的全部證書鏈檔案
配置nginx,需要生成dhparam.pem檔案
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
6,在nginx裡面配置
一般情況下只需要privkey.pem和fullchain.pem這兩個就夠了
server { listen443 ssl; server_name 域名; ssl_certificate /etc/letsencrypt/live/域名/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/域名/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000; # The rest of your server block root /path/to/root; index index.html index.htm; location / { try_files $uri $uri/ =404; } }
7,配置完成後
配置完成後重啟nginx
在谷歌瀏覽器中輸入域名,谷歌瀏覽器檢視詳情
或者通過此網址查詢:https://www.ssllabs.com/ssltest/analyze.html?d=域名
8,自動續期
自動續期問題:(注意關閉nginx)輸入
./letsencrypt-auto renew 手動續期會發現提示還未到期,無法續期
強制更新續期
./letsencrypt-auto renew --force-renewal
這樣的話就顯示續期成功
可以寫一個指令碼,建立個定時任務,定期自動續期。