1.下载 Certbot 客户端
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
2.生成证书
./certbot-auto certonly --email lst136@qq.com --webroot -w /usr/local/nginx/app/ -d www.zmdggjy.com
说明:certonly 表示安装模式
-d 为那些域名申请证书如(www.baidu.com),一个证书可以挂多个域名,-d www.zmdggjy.com -d www.baidu.com
--email 通知邮箱,证书到期前会邮件通知
-w 表示 nginx中指定的root 网站根目录的路径
生成证书路径:/etc/letsencrypt/archive/域名/
3.证书部署(nginx):
https需要使用443端口
/usr/local/nginx/dhparam.pem
上面文件是dhe密钥协商的参数,生成方法:
openssl dhparam out dhparam.pem 2048
nginx配置:
server {
listen 443;#监控端口
server_name m.xn--chqrbx3cl79a.com xn--chqrbx3cl79a.com;#监控域名
#ssl
ssl on;
ssl_certificate /etc/letsencrypt/live/xn--chqrbx3cl79a.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xn--chqrbx3cl79a.com/privkey.pem;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/nginx/dhparam.pem;
add_header Strict-Transport-Security max-age=15552000;
#charset koi8-r;
charset utf-8;
#access_log logs/host.access.log main;
location / {
root app;
index index.htm index.html;
access_log logs/webangular.access.log main ;
}
location /lrs/ {
#proxy_set_header Host hrmis.neusoft.com/rlzyptweb/lrs;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log logs/htweb.log main ;
client_max_body_size 20m;
proxy_read_timeout 150;
client_body_buffer_size 128k;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass http://mysvr/;
}
location /rlzyptwx {
alias /usr/local/nginx/wxapp/;
index index.htm index.html;
access_log logs/wxangular.access.log main ;
}
location = /a.gif { #虚拟服务器server的重定向访问
root html;
index index.htm index.html;
allow all;
}
location = /click.html { #虚拟服务器server的重定向访问
root html;
charset utf-8;
index index.htm index.html;
allow all;
}
location = /error.html { #虚拟服务器server的重定向访问
root html;
index index.htm index.html;
allow all;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
# error_page 500 502 503 504 /50x.html; #错误码值和对应请求
}
4.nginx 设置http强制跳转https
server
{
listen 80 ;
server_name www.xxxx.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
5.证书续期更新:
证书有效期3个月,到期前需要更新证书!
如何实现自动更新证书:
linux服务器中设置定时任务,去检查证书是否快要到期,到期前就自动更新,更新完证书重启nginx服务器。
0 0 * * * ./certbot-auto renew certonly --email lst136@qq.com -d www.zmdggjy.com --webroot -w /usr/local/nginx/app/ >> /root/for_crontab/mylog.log 2>&1
0 1 * * * service nginx reload >> /root/for_crontab/nginxlog.log 2>&1
说明:linux如何设置定时任务,自己网上查一下;
nginx需要做成系统服务,要不然service nginx reload 这个脚本会报错
2019年06月20日 19:32 沙发
ttt