参考页面:
https://certbot.eff.org/#ubuntutrusty-nginx
http://bbs.qcloud.com/thread-12059-1-1.html
http://www.cnblogs.com/yanghuahui/archive/2012/06/25/2561568.html
http://www.jb51.net/os/Ubuntu/323696.html
1. 下载let's encrypt
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot
无法找到add-apt-repository时,需要
apt-get install python-software-properties
apt-get install software-properties-common
2. 生成密钥
certbot certonly --standalone -d example.com -d www.example.com
执行成功会显示如下内容:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/【这里是你的域名】/fullchain.pem. Your cert will
expire on 【这里是到期时间】. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
红色内容在下一步会被使用。
3. 配置nginx
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/【这里是你的域名】/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/【这里是你的域名】/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
listen [::]:443 ssl ipv6only=on;
请注意这里的两个红色路径所对应的文件不相同。
4. 重启nginx
nginx -s reload
这时通过https访问网站,访问成功。
通过http访问网站,失败。错误:ERR_CONNECTION_REFUSED
5. 重定向http访问到https
server {
listen 80;
server_name 【这里是你的域名】;
rewrite ^(.*) https://$server_name$1 permanent;
}
再次访问http,成功。
至此,配置完成。如下图
* let's encrypt 只有90天的期限,续期使用如下代码:
certbot renew --dry-run
certbot renew
此操作前,请先关闭nginx
nginx -s stop
重启nginx,可能会遇到 [error] open() "/run/nginx.pid" failed (2: No such file or directory) 这样的问题,解决方法如下(参考自:http://blog.csdn.net/llnara/article/details/8691049):
nginx -c /etc/nginx/nginx.conf
欢迎访问我的网站:https://maomishen.com/