最新的Let's Encrypt免费https证书配置
Let's Encrypt
是一个数字证书认证机构,为网站提供免费的TLS证书。
本次流程基于Ubuntu,首先安装certbot
apt install certbot
使用 openssl 工具生成 dhparams
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
生成免费证书
certbot certonly --webroot --agree-tos -v -t --email xxx@xxx.com -w /path/to/your/web/root -d www.xxx.com
如果执行正常,将会显示生成的证书文件目录
配置nginx如下
server
{
listen 80;
server_name xxx.com;
return 301 https://$server_name$request_uri;
}
server
{
listen 443 ssl http2;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /path/to/dhparams.pem 2048
ssl_dhparam /path/to/dhparams.pem;
server_name xxx.com;
index index.html index.htm index.php default.html default.htm default.php;
root /path/to/wwwroot/web;
}
配置定时任务每个月自动续期(每隔七天临晨1点执行一次)
0 1 */7 * * certbot renew --renew-hook "systemctl restart nginx"