在Nginx上部署Let’s Encrypt证书

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

下面是我在Nginx服务器上部署它提供的SSL证书的过程：

安装git

apt-get update
apt-get install git

1 2	apt-get update apt-get install git

下载安装Let’s Encrypt源码，在etc目录下部署代码

cd /usr/
git clone https://github.com/letsencrypt/letsencrypt letsencrypt

1 2	cd /usr/ git clone https://github.com/letsencrypt/letsencrypt letsencrypt

SSL证书部署时需要关闭Nginx服务器。

service nginx stop
netstat -na | grep ':80.*LISTEN'
# return null if nginx has stopped

service nginx stop

netstat -na | grep ':80.*LISTEN'

# return null if nginx has stopped

生成SSL证书

cd /usr/letsencrypt
./letsencrypt-auto certonly --standalone

1 2	cd /usr/letsencrypt ./letsencrypt-auto certonly --standalone

之后将初始化简单的图形界面以安装SSL证书，需要填写域名信息

zivers.com www.zivers.com

1	zivers.com www.zivers.com

看到一下文字时说明证书生成成功

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/zivers.com/fullchain.pem. Your cert will
   expire on 2016-04-22. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/zivers.com/fullchain.pem. Your cert will

expire on 2016-04-22. To obtain a new version of the certificate in

the future, simply run Let's Encrypt again.

- If you like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

从以上信息中，可以看见，证书被存储到了以下目录

/etc/letsencrypt/live/zivers.com/
#证书路径
/etc/letsencrypt/live/zivers.com/fullchain.pem

/etc/letsencrypt/live/zivers.com/

#证书路径

/etc/letsencrypt/live/zivers.com/fullchain.pem

修改Nginx配置

加入ssl证书信息，并写入rewrite规则

server {
        listen 80;
        server_name zivers.com;
        rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;
}
server {
        listen 80;
        server_name www.zivers.com;
        rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;
}

server {
        listen 443 ssl;
        server_name zivers.com;

        ssl_certificate /etc/letsencrypt/live/zivers.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/zivers.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
        rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;
}

server {
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/zivers.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/zivers.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
        root /var/www/zivers.com;
        index index.php;

        server_name www.zivers.com;
        ...
}

server {

listen 80;

server_name zivers.com;

rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;

}

server {

listen 80;

server_name www.zivers.com;

rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;

}

server {

listen 443 ssl;

server_name zivers.com;

ssl_certificate /etc/letsencrypt/live/zivers.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/zivers.com/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;

}

server {

listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/zivers.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/zivers.com/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

root /var/www/zivers.com;

index index.php;

server_name www.zivers.com;

...

}

ZIVER'S

在Nginx上部署Let’s Encrypt证书

暂无评论

发表评论取消回复

发表评论 取消回复

发表评论取消回复