参考博客:
https://www.jianshu.com/p/8f591692d1ed?tdsourcetag=s_pctim_aiomsg
https://www.cnblogs.com/ghjbk/p/6744131.html
使用Let’s Encrypt获取免费证书
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
webroot 模式
这种方式生成的证书可以给多个二级域名使用,这种方式需要验证443端口,如果端口被占用会失败,如果提示congratulations,则表示成功
./letsencrypt-auto certonly --webroot --webroot-path /usr/share/nginx/html -d yourDomain --agree-tos --email your@email.com
报错:challenge failed for domain xxx.xxx.cn
detail:Invalid response from http://xxx.xxx.cn/.well-known/acme-challenge/…
解决方法:检查域名是否有效,修改执行方式为:
./letsencrypt-auto certonly -w 项目源路径 -d xxx.xxx.cn
获取成功后,会输出类似如下内容:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for cjli.info
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourDomain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourDomain/privkey.pem
Your cert will expire on 2018-07-30. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
生成 dhparam
为了进一步提高安全性,建议为 nginx 再生成 2048 位 DH parameters:
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
nginx 部署 ssl 证书
server{
listen 443 ssl;
#ssl on;
ssl_certificate youdomain/fullchain.pem;
ssl_certificate_key youdomain/privkey.pem;
server_name xxx.xxx.cn;
location / {
proxy_pass http://xxx:xx;
}
若要同时监听http和https,把ssl on;这行去掉,将ssl写在443后面,否则只需要写listen ssl;
证书续期
由于 Let’s Encrypt 颁发的服务器证书有效期只有 90 天,因此如果需要长期使用,就有必要设置好自动续期。
通过 letsencrypt-auto 工具,手动续期命令为:
./letsencrypt-auto renew
而所谓的自动续期,就是自动定时执行上面手动获得证书的操作,对于 Linux 来说,可以使用 crontab。
echo '@monthly root /path/to/letsencrypt-auto certonly --webroot --webroot-path /usr/share/nginx/html -d yourDomain --agree-tos --email your@email.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | tee --append /etc/crontab
开启Nginx的SSL模块
Nginx如果未开启SSL模块,配置Https时提示错误
nginx: [emerg] the “ssl” parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
切换到源码包:
cd /usr/local/src/nginx-1.11.3
查看nginx原有的模块
/usr/local/nginx/sbin/nginx -V
在configure arguments:后面显示的原有的configure参数如下:
--prefix=/usr/local/nginx --with-http_stub_status_module
那么我们的新配置信息就应该这样写:
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
运行上面的命令即可,等配置完
配置完成后,运行命令
make
这里不要进行make install,否则就是覆盖安装
然后备份原有已安装好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
然后将刚刚编译好的nginx覆盖掉原有的nginx(这个时候nginx要停止状态)
cp ./objs/nginx /usr/local/nginx/sbin/
然后启动nginx,仍可以通过命令查看是否已经加入成功
/usr/local/nginx/sbin/nginx -V
Nginx 配置SSL安全证书重启避免输入密码
可以用私钥来做这件事。生成一个解密的key文件,替代原来key文件。
openssl rsa -in server.key -out server.key.unsecure
Nginx SSL性能调优
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
7901
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
