之前本博客用的是沃通,但是不支持二级域名啥的。而且Mozilla 公布了停止信任沃通的证书,因此,这次要搞个二级域名,干脆换 Let's Encrypt 把~
本文内容如下
安装 certbot
Centos 6
1
2
3
4
| cd /usr/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
ln -s /usr/bin/certbot-auto /usr/bin/certbot
|
Centos 7
1
2
| yum install epel-release
yum install certbot
|
获取let's Encrypt SSL证书
配置nginx
以nginx为例,在配置文件中添加
1
2
3
| location ~ /.well-known {
allow all;
}
|
这个位置等下将被用于let's Encrypt生成证书过程中的验证路径。
所以一定要能被访问到。如果之前已有证书,且强制https,可以把default.conf 改为如下( /var/www/html为你的web目录)
1
2
3
4
5
6
7
8
9
10
11
12
13
| server {
listen 80;
server_name hrwhisper.me;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
}
location / {
return 301 https://$server_name$request_uri;
}
}
|
然后保存,接下来
若测试没有报错,就重新载入nginx配置
or
获取证书
需要修改下面的email以及相应的域名
1
| sudo certbot certonly --email [email protected] -a webroot --webroot-path=/var/www/html -d hrwhisper.me -d www.hrwhisper.me
|
如果要给子域名添加,则
1
| sudo certbot certonly --email [email protected] -a webroot --webroot-path=/var/www/html -d hrwhisper.me -d www.hrwhisper.me -d sub.hrwhisper.me
|
提示OK后,配置ssl.conf中证书位置为:
1
2
| ssl_certificate /etc/letsencrypt/live/hrwhisper.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hrwhisper.me/privkey.pem;
|
下面是我完整的conf配置:
ssl.conf:(见上方强制https的)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| #
# The https server
#
server {
listen 443;
listen [::]:443 ssl ipv6only=on;
server_name hrwhisper.me;
ssl on;
ssl_certificate /etc/letsencrypt/live/hrwhisper.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hrwhisper.me/privkey.pem;
# ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
# enable HSTS including subdomains
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
charset utf-8;
access_log /var/log/nginx/access.log main;
location / {
root /var/www/html;
index index.php index.html index.htm;
if (-f $request_filename/index.html){
rewrite (.*) $1/index.html break;
}
if (-f $request_filename/index.php){
rewrite (.*) $1/index.php;
}
if (!-f $request_filename){
rewrite (.*) /index.php;
}
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
root /var/www/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
|
自动更新证书
由于获取的证书就三个月,我们可以用定时任务进行证书的更新:
CentOS 6.x
1
2
| 01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log
06 1 * * 0 /sbin/service nginx reload
|
CentOS 7.x
1
2
| 01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log
06 1 * * 0 /usr/bin/systemctl nginx reload
|
每周天凌晨1点,执行certbot renew 命令,并且将日记写入 /var/log/ssl-renew.log
参考资料
