参考网站:
http://bbs.qcloud.com/thread-12059-1-1.html
http://www.cnblogs.com/yanghuahui/archive/2012/06/25/2561568.html
http://www.jb51.net/os/Ubuntu/323696.html
1. 下载let’s encrypt$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot
无法找到add-apt-repository时,需要apt-get install python-software-properties
apt-get install software-properties-common
2. 生成密钥certbot certonly –standalone -d example.com -d www.example.com
执行成功会显示如下内容:
| 1234567891011 | IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/【这里是你的域名】/fullchain.pem. Your cert will expire on 【这里是到期时间】. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
红色内容在下一步会被使用。
3. 配置nginx
| 1234567 | listen 443 ssl;ssl_certificate /etc/letsencrypt/live/【这里是你的域名】/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/【这里是你的域名】/privkey.pem;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;listen [::]:443 ssl ipv6only=on; |
请注意这里的两个红色路径所对应的文件不相同。
4. 重启nginx
| 1 | nginx -s reload |
这时通过https访问网站,访问成功。
通过http访问网站,失败。错误:ERR_CONNECTION_REFUSED
5. 重定向http访问到https
| 12345 | server { listen 80; server_name 【这里是你的域名】; rewrite ^(.*) https://$server_name$1 permanent;} |
再次访问http,成功。
至此,配置完成。如下图
* let’s encrypt 只有90天的期限,续期使用如下代码:
| 1 | certbot renew --dry-run <br>certbot renew |
此操作前,请先关闭nginxnginx -s stop
重启nginx,可能会遇到 [error] open() “/run/nginx.pid” failed (2: No such file or directory) 这样的问题,解决方法如下(参考自:http://blog.csdn.net/llnara/article/details/8691049):nginx -c /etc/nginx/nginx.conf
发表回复