转发自小众软件这片文章: http://www.appinn.com/use-letsencrypt-with-nginx/
安装
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
配置
关闭nginx并开启防火墙80 和 443端口,避免申请证书时端口占用。
配置
server {
listen 80;
server_name www.test.com;
root html;
return 301 https://$host$request_uri;
location / {
index index.html index.php;
}
}
server {
listen 443 ssl;
server_name www.test.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location ~ /.well-known {
allow all;
}
}
证书续签
1.修改配置文件
cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.in
编辑该文件:
rsa-key-size = 4096
email = you@example.com
domains = www.test.com
webroot-path = /usr/share/nginx/html //这个路径之后脚本会用到
2. 下载脚本并设置权限:
curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
chmod +x /usr/local/sbin/le-renew-webroot
脚本会先检测证书日期,如果没到期不会去服务端申请延期。