一、申请条件:
1.Linux服务器一台
2.可用域名并解析
二、下载cerbot-auto
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
三、nginx为申请ssl证书准备配置,记得重启
server {
listen 80;
server_name www.test.com;
location /.well-known/acme-challenge/ {
default_type "text/plain";
root /data1/webroot/certbot/www.test.com;
}
location / {
return 301 https://$http_host$request_uri;
}
}
四、申请ssl证书
certbot-auto --no-self-upgrade certonly --webroot -w /data1/webroot/certbot/www.test.com -d www.test.com
--webroot 证书存放目录
-d 替换为你自己的域名
如无意外,ssl证书就配置好了
五、nginx重新配置
增加443端口监听,增加ssl配置,并自动续期
server {
listen 443 ssl;
server_name www.test.com; //这里改为自己的域名
ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem; //这里的路径改之前配置的之前域名
ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem; //这里的路径改之前配置的之前域名
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 30m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
location ^~ /debug/ {
rewrite ^/debug/(.*)$ /$1 last;
}
access_log /var/log/nginx/test/access.log;
root /var/www/html/wordpress;
location / {
index index.html index.htm index.php;
}
location ~ \.php$ {
fastcgi_index index.php;
fastcgi_pass phpfpm:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /data/webroot/certbot/www.test.com; //这里的路径改之前配置的之前域名
}
}
server {
listen 80;
server_name www.test.com;
location /.well-known/acme-challenge/ {
default_type "text/plain";
root /data/webroot/certbot/www.test.com; //这里的路径改之前配置的之前域名
}
location / {
return 301 https://$http_host$request_uri;
}
}
再重启nginx ,ssl证书就配置好了
六、遇到的坑
1. 第五步nginx预重启时,提示dhparam.pem不存在,执行以下命令
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
2.注意开放443端口