nginx启用Let's Encrypt证书,为你的网站启用https
系统:centos6
下载Let's Encrypt客户端
首先我们要安装git
yum install -y git
然后,检出Let's Encrypt的客户端源码:
git clone https://github.com/letsencrypt/letsencrypt
这样,我们就成功的下载了Let's Encrypt的客户端签发证书
首先,要先关掉我们的Nginx。使用命令关闭Nginx,不同环境方法不同,请参考你自己的环境配置说明
如果不确定,你可以使用
netstat -naltp | grep ':80.*LISTEN'
netstat -naltp | grep ':443.*LISTEN'
注:需要停掉443端口的程序
命令来检测,当返回值为空时,就说明没有程序在监听80和443端口
接下来,进入Let's Encrypt目录
cd letsencrypt
运行Standalone插件
./letsencrypt-auto certonly --standalone(或者:./letsencrypt-auto certonly --standalone --email admin@thing.com -d thing.com -d www.thing.com)
在此过程中会提示同意使用和输入域名;
如果你看到下面的文字,就说明生成成功了:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/gfwss.top/fullchain.pem. Your cert will
expire on 2017-05-07. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew all of your certificates, run
"letsencrypt-auto renew"
- If you lose your account credentials, you can recover through
e-mails sent to liuyanhlr@qq.com. - Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
这段文字提示了证书的存放位置和过期日期
我的存放位置是 /etc/letsencrypt/live/example.com/fullchain.pem 在2016年3月19日过期
我们配置Nginx证书时的证书文件和密钥文件都在那个目录下。其中fullchain.pem包含了网站证书和根证书链配置Nginx
修改我们的虚拟主机配置文件,在listen后面把80改成443,并加SSL,然后在下面加入我们的证书和密钥地址。
配置Nginx
修改我们的虚拟主机配置文件,在listen后面把80改成443,并加SSL,然后在下面加入我们的证书和密钥地址。
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;(红色部分时证书放置路径)
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
强制开启跳转https
server
{
listen 80;
return 301 https://域名$request_uri;
server_name 域名;
}
重启nginx即可;
由于Let's Encrypt的证书有效期为90天,则需要续期;
自动续期问题
闭nginx,输入
cd letsencrypt
./letsencrypt-auto renew
手动续期会发现提示还未到期,无法续期
这个时候可以使用强制续期:
./letsencrypt-auto renew --force-renewal
可以写一个脚本,创建个定时任务,定期自动续期。
例如:
#!/bin/bash
/etc/init.d/nginx stop
/root/letsencrypt/letsencrypt-auto renew --force-renewal
sleep 3
/etc/init.d/nginx restart
配置crontab:
###https update###
* * * */1 * /bin/bash /root/letsencrypt/autoupdate.sh
最后更新于 2017-12-21 16:33:00 并被添加「nginx https」标签,已有 1728 位童鞋阅读过。
本站使用「署名 4.0 国际」创作共享协议,可自由转载、引用,但需署名作者且注明文章出处
此处评论已关闭