在Nginx上部署Let’s Encrypt证书

发表评论

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

下面是我在Nginx服务器上部署它提供的SSL证书的过程:

  • 安装git
apt-get update
apt-get install git
  • 下载安装Let’s Encrypt源码,在etc目录下部署代码
cd /usr/
git clone https://github.com/letsencrypt/letsencrypt letsencrypt
  • SSL证书部署时需要关闭Nginx服务器。
service nginx stop
netstat -na | grep ':80.*LISTEN'
# return null if nginx has stopped
  • 生成SSL证书
cd /usr/letsencrypt
./letsencrypt-auto certonly --standalone
  • 之后将初始化简单的图形界面以安装SSL证书,需要填写域名信息
zivers.com www.zivers.com
  • 看到一下文字时说明证书生成成功
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/zivers.com/fullchain.pem. Your cert will
   expire on 2016-04-22. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  • 从以上信息中,可以看见,证书被存储到了以下目录
/etc/letsencrypt/live/zivers.com/
#证书路径
/etc/letsencrypt/live/zivers.com/fullchain.pem
  • 修改Nginx配置

加入ssl证书信息,并写入rewrite规则

server {
        listen 80;
        server_name zivers.com;
        rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;
}
server {
        listen 80;
        server_name www.zivers.com;
        rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;
}

server {
        listen 443 ssl;
        server_name zivers.com;

        ssl_certificate /etc/letsencrypt/live/zivers.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/zivers.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
        rewrite ^/(.*)$ https://www.zivers.com/$1 permanent;
}

server {
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/zivers.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/zivers.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
        root /var/www/zivers.com;
        index index.php;

        server_name www.zivers.com;
        ...
}

发表评论

电子邮件地址不会被公开。 必填项已用*标注