免费SSL安全证书Let's Encrypt SSL/TLS - FreeBSD NGINX 配置教程
Let's Encrypt是最近很火的一个免费SSL证书发行项目,Let's Encrypt是由ISRG提供的免费免费公益项目,自动化发行证书,但是证书只有90天的有效期。
本文主要介绍,如何申请 Let's Encrypt 证书,管理证书,自动续签证书及nginx的https的配置方法。
首先安装 certbot 管理工具,linux 下采用 yum 进行安装,这里不再复述,这里主要以 FreeBSD 系统为例。
建议在 FreeBSD 下采用ports方式编译安装
[root@freebsd:~]# cd /usr/ports/security/py-certbot && make install clean
安装完毕后执行以下命令生成证书,请将下面的邮箱更换成你的邮箱地址。
如果有多个域名 请在后面增加 -d youdomain.com 即可。
[root@freebsd:~] certbot certonly -m luffy@qi-cloud.com --agree-tos --webroot -w /usr/local/www/nginx -d qi-cloud.com -d www.qi-cloud.com
完成证书的生成后会提示如下信息
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/usr/local/etc/letsencrypt/live/gnustav.org/fullchain.pem. Your
cert will expire on 2016-12-16. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书路径存放在以下位置,以你刚才提交的域名进行命名。
/usr/local/etc/letsencrypt/renewal/qi-cloud.com.conf
/usr/local/etc/letsencrypt/live/qi-cloud.com/
编译nginx配置文件 vi /usr/local/etc/nginx/nginx.conf
server
{
listen 80;
listen 443 ssl http2;
server_name qi-cloud.com;
server_name www.qi-cloud.com;
#配置http访问的均跳转到https访问
if ($scheme = http) {
return 301 https://$host$request_uri;
}
#配置网站的根目录
index index.html index.htm index.php;
root /usr/local/www/nginx;
#配置https证书
ssl_certificate /usr/local/etc/letsencrypt/live/qi-cloud.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/qi-cloud.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
.........
}
Let’s Encrypt的证书只有几个月的有效期,下面到期可以重新刷新更新证书
[root@freebsd:~]# certbot renew --webroot -w /usr/local/www/nginx
当然你也可以设置 crontab 计划任务来每天刷新执行 每天早上5.00执行更新。
[root@freebsd:~]# crontab -e
0 5 * * * /usr/local/bin/certbot renew --webroot -w /usr/local/www/nginx
然后重新nginx服务
[root@freebsd:~]# service nginx restart
打开网站 https://www.qi-cloud.com 看到安全证书了
No Comments