配置nginx的SSL；解决nginx重启报错“See "systemctl status nginx.service" and "journalctl -xe" for details.”

【ubuntu18.04操作系统】

顶级域名www.xxx.com 绑定的公司的网站，公司做了一个微信小程序，需要用到https  443这个端口，经过讨论后，申请了一个二级域名，在nginx的配置文件里添加以下这一段：

server {
 listen 443;
 server_name image.xxx.com;
 ssl on;
 index index.html index.htm;
 ssl_certificate   cert/2684208__xxx.com.pem;
 ssl_certificate_key  cert/2684208__xxx.com.key;
 ssl_session_timeout 5m;
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 location / {
                        proxy_pass http://127.0.0.1:8854; #反向代理的地址
                        proxy_http_version 1.1; #配置参数（重要）
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
 }
}

server {
    listen 80; 
    server_name image.xxx.com;  #你的域名
    rewrite ^(.*)$ https://$host$1 permanent;  #把http的域名请求转成https
}

购买顶级域名后需要修改为以下配置

server {
    listen       443 ssl;
    server_name    www.xxx.com; #绑定的域名
        ssl on;
    ssl_certificate      cert/2684208__xxx.com.pem; #证书文件
    ssl_certificate_key  cert/2684208__xxx.com.key;
    ssl_session_timeout  5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置
   ssl_prefer_server_ciphers  on;
   location / {
       root html;
       index  index.html index.htm;
   }
}

server {
    listen 80; 
   server_name www.xxx.com;  #你的域名
    rewrite ^(.*)$ https://$host$1 permanent;  #把http的域名请求转成https
}

server {
 listen 443;
 server_name *.xxx.com;
 index index.html index.htm;
 ssl_certificate   cert/2684208__xxx.com.pem;
 ssl_certificate_key  cert/2684208__xxx.com.key;
 ssl_session_timeout 5m;
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 location / {
                        proxy_pass http://127.0.0.1:8811; #反向代理的地址
                        proxy_http_version 1.1; #配置参数（重要）
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
 }
}

server {
    listen 80; 
    server_name *.xxx.com;  #你的域名
    rewrite ^(.*)$ https://$host$1 permanent;  #把http的域名请求转成https
}

把申请的SSL证书文件解压后放在/etc/nginx/cert/这个目录下即可，cert为自己创建的目录。

 重启nginx后算是image.xxx.com的https已经成功。可以在浏览器访问进行测试：此处不再累述

此处说下SSL证书，为阿里云申请的免费版，这个申请比较简单，不懂的可以问阿里云客服。只可以绑定一个细域名。这点很坑，强烈建议买付费的通配符域名，2年也就1800左右，因为公司不只一个域名需要https，如果公司的俩个域名都需要https就的做俩次，需要3个就的做三次，太过麻烦了。本人就是因为就是因为第一次用了免费的SSL证书，没过俩天另一个域名也需要https。于是乎，买了一个通配符域名，在配置好文件后，重启nginx报错：root@iZ8vbbqx6mnq6cgu4465jeZ:/etc/nginx/cert# /etc/init.d/nginx start
[....] Starting nginx (via systemctl): nginx.serviceJob for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
 failed!
开始排查，看日志报错,用命令systemctl status nginx.service

root@iZ8vbbqx6mnq6cgu4465jeZ:/etc/nginx/cert# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabl
   Active: failed (Result: exit-code) since Tue 2019-08-20 23:40:04 CST; 8s ago
     Docs: man:nginx(8)
  Process: 24821 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --p
  Process: 25716 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=e
  Process: 25715 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on
 Main PID: 682 (code=exited, status=0/SUCCESS)

Aug 20 23:40:02 iZ8vbbqx6mnq6cgu4465jeZ systemd[1]: Starting A high performance web
Aug 20 23:40:02 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.
Aug 20 23:40:02 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.
Aug 20 23:40:03 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.
Aug 20 23:40:03 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] still could no
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ systemd[1]: nginx.service: Control process 
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ systemd[1]: nginx.service: Failed with resu
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ systemd[1]: Failed to start A high performa
lines 1-19/19 (END)...skipping...
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2019-08-20 23:40:04 CST; 8s ago
     Docs: man:nginx(8)
  Process: 24821 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 25716 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
  Process: 25715 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 682 (code=exited, status=0/SUCCESS)

Aug 20 23:40:02 iZ8vbbqx6mnq6cgu4465jeZ systemd[1]: Starting A high performance web server and a reverse proxy server...
Aug 20 23:40:02 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Aug 20 23:40:02 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Aug 20 23:40:03 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Aug 20 23:40:03 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ nginx[25716]: nginx: [emerg] still could not bind()
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ systemd[1]: nginx.service: Control process exited, code=exited status=1
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ systemd[1]: nginx.service: Failed with result 'exit-code'.
Aug 20 23:40:04 iZ8vbbqx6mnq6cgu4465jeZ systemd[1]: Failed to start A high performance web server and a reverse proxy server.
发现443进程被占用，

因为之前的二级域名做https的用的就是443端口，关闭nginx后，系统里的443端口的进程，处于以下状态

root@iZ8vbbqx6mnq6cgu4465jeZ:~# netstat -anpt|grep 443
tcp        0      0 x.x.x.x:443             x.x.x.x:*               LISTEN      10722/java          
tcp        0      0 x.x.x.x:443        x.x.x.x:51414     FIN_WAIT2   -                   
tcp        0      0 x.x.x.x:443        x.x.x.x:51413     FIN_WAIT2   - 

服务器的nginx服务停掉后，进程处于等待状态，并且占用端口

root@iZ8vbbqx6mnq6cgu4465jeZ:~# lsof -i tcp:443  ##此命令用于查看端口被占用的进程

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
java    10722 root   24u  IPv4 179636      0t0  TCP *:https (LISTEN)

用此命令杀死进程kill -9 10722
重启nginx 

ok完工！

最后提醒下：阿里云下载的证书不能直接使用。需要把key的内容拼接到以.pem的文件里才可以使用，不然配置完，http的请求无法到达的