Let's Encrypt 是一个数字证书认证机构,为网站提供免费的 TLS 证书。
本次流程基于 Ubuntu,首先安装 certbot
使用 openssl 工具生成 dhparams
1
| openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
|
生成免费证书
1
| certbot certonly --webroot --agree-tos -v -t --email xxx@xxx.com -w /path/to/your/web/root -d www.xxx.com
|
如果执行正常,将会显示生成的证书文件目录
配置 nginx 如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| server
{
listen 80;
server_name xxx.com;
return 301 https://$server_name$request_uri;
}
server
{
listen 443 ssl http2;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /path/to/dhparams.pem 2048
ssl_dhparam /path/to/dhparams.pem;
server_name xxx.com;
index index.html index.htm index.php default.html default.htm default.php;
root /path/to/wwwroot/web;
}
|
配置定时任务每个月自动续期 (每隔七天临晨 1 点执行一次)
1
| 0 1 */7 * * certbot renew --renew-hook "systemctl restart nginx"
|