參考頁面:
https://certbot.eff.org/#ubuntutrusty-nginx
http://bbs.qcloud.com/thread-12059-1-1.html
http://www.cnblogs.com/yanghuahui/archive/2012/06/25/2561568.html
http://www.jb51.net/os/Ubuntu/323696.html
1. 下載let's encrypt
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot
無法找到add-apt-repository時,需要
apt-get install python-software-properties
apt-get install software-properties-common
2. 生成密鑰
certbot certonly --standalone -d example.com -d www.example.com
執行成功會顯示如下內容:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/【這里是你的域名】/fullchain.pem. Your cert will
expire on 【這里是到期時間】. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
紅色內容在下一步會被使用。
3. 配置nginx
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/【這里是你的域名】/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/【這里是你的域名】/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
listen [::]:443 ssl ipv6only=on;
請注意這里的兩個紅色路徑所對應的文件不相同。
4. 重啟nginx
nginx -s reload
這時通過https訪問網站,訪問成功。
通過http訪問網站,失敗。錯誤:ERR_CONNECTION_REFUSED
5. 重定向http訪問到https
server {
listen 80;
server_name 【這里是你的域名】;
rewrite ^(.*) https://$server_name$1 permanent;
}
再次訪問http,成功。
至此,配置完成。如下圖
* let's encrypt 只有90天的期限,續期使用如下代碼:
certbot renew --dry-run
certbot renew
此操作前,請先關閉nginx
nginx -s stop
重啟nginx,可能會遇到 [error] open() "/run/nginx.pid" failed (2: No such file or directory) 這樣的問題,解決方法如下(參考自:http://blog.csdn.net/llnara/article/details/8691049):
nginx -c /etc/nginx/nginx.conf
歡迎訪問我的網站:https://maomishen.com/