申请腾讯免费个人SSL && 配置 https

申请免费1年SSL文件

1- 首先去腾讯云申请
2- 然后解析域名获取认证
3- 下载.key和.crt 两个文件.

配置SSL

方法1: 按照腾讯云有个问题. 如果root放html默认是在/usr/localhost/nginx/html目录下,如果换目录提示403

server {
        listen 443;
        server_name www.domain.com; #填写绑定证书的域名
        ssl on;
        ssl_certificate 1_www.domain.com_bundle.crt;
        ssl_certificate_key 2_www.domain.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
        ssl_prefer_server_ciphers on;
        location / {
            root   html; #站点目录
            index  index.html index.htm;
        }
    }

方法2: 直接lnmp安装目录,只是安装好了需另外修改下.crt和.key的路径. 默认只到目录位置.为后续方便,整体代码都贴上.

server
    {
        listen 80;
        #listen [::]:80;
        server_name json.video ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/json.video;

        include other.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/json.video.log;
    }

server
    {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name json.video ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/json.video;
        ssl on;
        ssl_certificate /home/sslkey/1_json.video_bundle.crt;
        ssl_certificate_key /home/sslkey/2_json.video.key; 
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        include other.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/json.video.log;
    }

重定向https:

在http的server里增加

rewrite ^(.*) https://$host$1 permanent;

---

提示500错误

在index.php中加入以下2行并重启lnmp环境

error_reporting(E_ALL);
ini_set('display_errors', 'On');

如果是提示open_basedir() 问题, 则在以下路径 /usr/local/nginx/conf/fastcgi.conf
文件最下面修改为以下

# fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:tmp/:/proc/';
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:tmp/:/proc/:/home/wwwroot/default/basic/';

配置完ssl 无法重启nginx,https配置失效

重启nginx提示以下

Stoping nginx... nginx: [emerg] PEM_read_bio_X509_AUX("/home/sslkey") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
 failed. Use force-quit

原因可能是2个.
1- 默认的lnmp只加了路径,文件名没有加上去.

ssl_certificate /home/key_dir/1_json.video_bundle.crt;
ssl_certificate_key /home/key_dir/2_json.video.key;

2- 可能是crt生成时候里面没有换行.