陆壹
文章
18
分类
17
评论
1

使用Certbot配置Let's Encrypt SSL安全证书详细教程

| Nginx
字数总计 4521 | 阅读时长 11分钟 | 阅读量 694
获取 Certbot 客户端
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help
配置nginx验证域名所有权
location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root     /www/web/blog;
}

location = /.well-known/acme-challenge/ {
   return 404;
}
检测配置并且,重载nginx配置
nginx -t 

nginx -s reload
生成证书(重点)
./certbot-auto certonly --webroot -w  /www/web/blog -d  blog.mevlife.com

# 如果提示这个Congratulations(恭喜你),证明成功了
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/blog.mevlife.com/fullchain.pem. Your cert
   will expire on 2018-11-12. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
配置 Nginx,使用 SSL 证书(重点)
#http 跳转 https
server{
      listen 80 default_server;
      server_name blog.mevlife.com;
      return 301 https://blog.mevlife.com$request_uri;
}

server{
      listen 443 ssl http2;
      server_name blog.mevlife.com;
      index index.html index.htm index.php;
      root  /www/web/blog;
      ssl_certificate       /etc/letsencrypt/live/blog.mevlife.com/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/blog.mevlife.com/privkey.pem;

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
      ssl_prefer_server_ciphers on;

      #error_page   404   /404.html;

      #............部分省略.............

      location / {
          try_files $uri $uri/ /index.php?$query_string;
      }

      location ^~ /.well-known/acme-challenge/ {
          default_type "text/plain";
          root  /www/web/blog;
      }

      location = /.well-known/acme-challenge/ {
          return 404;
      }
      access_log  /var/wwwlogs/access.log;
}
重载nginx大功告成,此时浏览器打开网站就可以显示绿色小锁了
sudo nginx -s reload

为什么可以https访问了,但是浏览器还是没有显示绿色的锁呢 这个可能是当前加载的页面,引入的图片、css、js 可能还是http://xxxx 被浏览器检测出可能不安全的链接

文章作者: 陆壹
本文链接:
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 陆壹笔记
Nginx nginx ssl https
喜欢就支持一下吧