Loading
0

LNMP环境下申请 Let’s Encrypt 免费SS 证书证书教程

# yum install epel-release

//安装yum扩展源

# yum install certbot

//安装证书自动生成工具

# nginx -s stop

//停止nginx服务准备签发证书

# certbot certonly --standalone-supported-challenges http-01

//签发证书通过80端口
或者

# certbot certonly --standalone-supported-challenges tls-sni-01

//签发证书通过443端口

  • 然后程序会提示如何要验证,我懒得用 1.放置文件验证,所以我选择 2.直接用一个临时服务器验证
  • 接着输入管理邮箱,我猜是用于进行证书的一些补颁发操作。
  • 同意他们的协议
  • 输入要签发证书的域名www.thefox.cn thefox.cn
  • 然后如果无误会提示Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.thefox.cn/fullchain.pem.签发成功。
  • 为了加强安全性,用openssl的dhparam生成一个证书 # openssl dhparam 2048 -out /etc/ssl/certs/dhparam.pem,并且配置在nginx上。
# nginx -t

检测nginx配置

# systemctl start nginx

//重新打开nginx服务

这是我的nginx网站配置,已经开启了hsts和伪静态,301跳转。

    server {
        listen 80;
        if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
        }
        
    server {
    server_name www.thefox.cn thefox.cn;
    listen 443;
    gzip  on;
    ssl                  on;
    ssl_certificate      /etc/letsencrypt/live/www.thefox.cn/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/www.thefox.cn/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    keepalive_timeout 70;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Methods' 'GET,POST,HEAD';
    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm index.php;
        if (-f $request_filename/index.html) {
    rewrite (.*) $1/index.html break;
     }
    if (-f $request_filename/index.php) {
    rewrite (.*) $1/index.php;
     }
    if (!-f $request_filename) {
    rewrite (.*) /index.php;
     }
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location / {
     #   
     #   
   #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #
    location ~ .*\.php(\/.*)*$ {
    root           html;
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_param  SCRIPT_FILENAME  /usr/share/nginx/html$fastcgi_script_name;
    include        fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
  }
  

# certbot renew

//用来续订证书

  • 为了防止因为忘记续订证书,加入 crontabs 计划任务列表里 # crontab -e 编辑列表加入
    0 0 1 */3 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
    保存退出即可,上面那句话每隔三个月自动续期证书
  • 更多 crontabs 用 # more /etc/crontab 查看帮助