给你的网站免费配置 https
letsencrypt 为1.8亿个网站提供TLS证书的非盈利性证书颁发机构
安装 letsencrypt
apt install letsencrypt
生成 ssl 所需证书文件
注意: 生成的时候要先停止 nginx
letsencrypt certonly --standalone --email your@mail.com -d text1.com -d text2.com
成功生成如下:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx/fullchain.pem. Your cert
will expire on 2020-05-19. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书有效期只有 90 天, 免费续期的命令如下
letsencrypt certonly --renew-by-default --email your@mail.com -d text1.com -d text2.com
配置 crontab 定时任务, 自动续期
编写自动续期脚本, updateHttps.sh
sudo service nginx stop
/usr/bin/letsencrypt certonly --renew-by-default --email your@mail.com -d text1.com -d text2.com
sudo service nginx start
crontab -e
* * 1 * * /realpath/updateHttps.sh
修改 nginx.conf, 添加 https
server {
# 强制跳转https
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/text1.comfullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/text1.comprivkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}