版权声明:本文来自kid_2412的csdn博客,欢迎转载! https://blog.csdn.net/kid_2412/article/details/51782852
lesencrpt是一个免费的公认的ssl证书颁发机构,不过证书的吊销时间比较短,通常是几个月。虽然有效期比较短,不过由于是公认的,还是比较不错的。官网地址 https://letsencrypt.org 可以参考他的Getting Started。下面记录一下在nginx上配置https,以及如何使用lesencrypt。
首先从github上下载lesencrypt客户端
git clone https://github.com/letsencrypt/letsencrypt
然后关闭nginx
sudo /srv/nginx/sbin/nginx -s quit
接下来执行lesencrypt客户端生成证书,主意使用sudo或者root用户
sudo /home/kid/lesencrypt/letsencrypt-auto certonly --standalone
这行客户端以后,lesencrypt会利用yum或apt自动安装一些依赖库,安装完成后会进入如下界面:
这里需要输入你的邮箱,用于找回证书。直接按回车进入下一步。
这里lesencrypt会告诉你他们的协议声明,直接按回车Agree。
接下来需要填写https保护的站点的域名,主意多个域名中间以空格分隔。
看到如下信息后证明生成成功:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your
cert will expire on 2016-03-19. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
好了,可以看到证书生成在/etc/lesencrypt下。但是这里需要主意,由于证书文件夹和文件是root权限的,nginx运行用户需要有权限进行读,使用setfacl设置权限:
setfacl -m u:nginx:r-x /etc/lesencrypt/live/example.com
最后编辑nginx的配置文件,在server块中,开启https:
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
启动nginx
sudo /srv/nginx/sbin/nginx
大功告成!