letsencrypt 为1.8亿个网站提供TLS证书的非盈利性证书颁发机构
安装 letsencrypt
apt install letsencrypt
生成 ssl 所需证书文件

注意: 生成的时候要先停止 nginx

letsencrypt certonly --standalone --email your@mail.com -d text1.com -d text2.com
成功生成如下:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx/fullchain.pem. Your cert
will expire on 2020-05-19. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le
证书有效期只有 90 天, 免费续期的命令如下
letsencrypt certonly --renew-by-default --email your@mail.com -d text1.com -d text2.com
配置 crontab 定时任务, 自动续期
编写自动续期脚本, updateHttps.sh
sudo service nginx stop

/usr/bin/letsencrypt certonly --renew-by-default --email your@mail.com -d text1.com -d text2.com

sudo service nginx start
crontab -e
* * 1 * * /realpath/updateHttps.sh
修改 nginx.conf, 添加 https
server {
    # 强制跳转https
    if ($scheme = http) {
       return 301 https://$server_name$request_uri;
    }

    listen 443 ssl;
    ssl_certificate   /etc/letsencrypt/live/text1.comfullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/text1.comprivkey.pem;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

}

标签: https

添加新评论