# yum install epel-release
//安装yum扩展源
# yum install certbot
//安装证书自动生成工具
# nginx -s stop
//停止nginx服务准备签发证书
# certbot certonly --standalone-supported-challenges http-01
//签发证书通过80端口
或者
# certbot certonly --standalone-supported-challenges tls-sni-01
//签发证书通过443端口
- 然后程序会提示如何要验证,我懒得用 1.放置文件验证,所以我选择 2.直接用一个临时服务器验证
- 接着输入管理邮箱,我猜是用于进行证书的一些补颁发操作。
- 同意他们的协议
- 输入要签发证书的域名www.thefox.cn thefox.cn
- 然后如果无误会提示Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.thefox.cn/fullchain.pem.签发成功。
- 为了加强安全性,用openssl的dhparam生成一个证书 # openssl dhparam 2048 -out /etc/ssl/certs/dhparam.pem,并且配置在nginx上。
# nginx -t
检测nginx配置
# systemctl start nginx
//重新打开nginx服务
这是我的nginx网站配置,已经开启了hsts和伪静态,301跳转。
server { listen 80; if ($ssl_protocol = "") { return 301 https://$host$request_uri; } } server { server_name www.thefox.cn thefox.cn; listen 443; gzip on; ssl on; ssl_certificate /etc/letsencrypt/live/www.thefox.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.thefox.cn/privkey.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; keepalive_timeout 70; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET,POST,HEAD'; #charset koi8-r; #access_log /var/log/nginx/log/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm index.php; if (-f $request_filename/index.html) { rewrite (.*) $1/index.html break; } if (-f $request_filename/index.php) { rewrite (.*) $1/index.php; } if (!-f $request_filename) { rewrite (.*) /index.php; } } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location / { # # #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # # location ~ .*\.php(\/.*)*$ { root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name; include fastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} }
# certbot renew
//用来续订证书
- 为了防止因为忘记续订证书,加入 crontabs 计划任务列表里 # crontab -e 编辑列表加入
0 0 1 */3 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
保存退出即可,上面那句话每隔三个月自动续期证书 - 更多 crontabs 用 # more /etc/crontab 查看帮助
发表评论