nginx启用Let's Encrypt证书,为你的网站启用https

系统:centos6

下载Let's Encrypt客户端

首先我们要安装git
yum install -y git
然后,检出Let's Encrypt的客户端源码:
git clone https://github.com/letsencrypt/letsencrypt
这样,我们就成功的下载了Let's Encrypt的客户端签发证书
首先,要先关掉我们的Nginx。使用命令关闭Nginx,不同环境方法不同,请参考你自己的环境配置说明
如果不确定,你可以使用
netstat -naltp | grep ':80.*LISTEN'
netstat -naltp | grep ':443.*LISTEN'
注:需要停掉443端口的程序
命令来检测,当返回值为空时,就说明没有程序在监听80和443端口
接下来,进入Let's Encrypt目录
cd letsencrypt

运行Standalone插件

./letsencrypt-auto certonly --standalone(或者:./letsencrypt-auto certonly --standalone --email admin@thing.com -d thing.com -d www.thing.com)
在此过程中会提示同意使用和输入域名;
如果你看到下面的文字,就说明生成成功了:
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/gfwss.top/fullchain.pem. Your cert will

expire on 2017-05-07. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew all of your certificates, run
"letsencrypt-auto renew"

  • If you lose your account credentials, you can recover through
    e-mails sent to liuyanhlr@qq.com.
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

Donating to EFF: https://eff.org/donate-le
这段文字提示了证书的存放位置和过期日期
我的存放位置是 /etc/letsencrypt/live/example.com/fullchain.pem 在2016年3月19日过期
我们配置Nginx证书时的证书文件和密钥文件都在那个目录下。其中fullchain.pem包含了网站证书和根证书链配置Nginx
修改我们的虚拟主机配置文件,在listen后面把80改成443,并加SSL,然后在下面加入我们的证书和密钥地址。

配置Nginx

修改我们的虚拟主机配置文件,在listen后面把80改成443,并加SSL,然后在下面加入我们的证书和密钥地址。

    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;(红色部分时证书放置路径)
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

强制开启跳转https

server

{
    listen 80;
    return 301 https://域名$request_uri;
    server_name 域名;
}

重启nginx即可;
由于Let's Encrypt的证书有效期为90天,则需要续期;

自动续期问题

闭nginx,输入
cd letsencrypt
./letsencrypt-auto renew
手动续期会发现提示还未到期,无法续期
这个时候可以使用强制续期:
./letsencrypt-auto renew --force-renewal
可以写一个脚本,创建个定时任务,定期自动续期。
例如:

#!/bin/bash
/etc/init.d/nginx stop
/root/letsencrypt/letsencrypt-auto renew --force-renewal
sleep 3
/etc/init.d/nginx restart

配置crontab:

###https update###
* * * */1 * /bin/bash /root/letsencrypt/autoupdate.sh

相关文章

此处评论已关闭