免费的https证书(Let’s Encrypt)申请
下载安装
[[email protected] certbot]#git clone https://github.com/certbot/certbot
[[email protected] certbot]#cd certbot/
[[email protected] certbot]#./certbot-auto certonly --webroot --agree-tos -v -t --email [email protected] -w /usr/local/nginx/html/ -d example.com
……
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-02-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[[email protected] certbot]# openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................................................................+........................+.............
Nginx配置
server {
listen 443 ssl;
server_name localhost;
charset utf-8;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_dhparam /etc/ssl/certs/dhparams.pem;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:8081;
}
}
证书更新
[[email protected] certbot]# ./certbot-auto renew
参考连接:https://keelii.com/2016/06/12/free-https-cert-lets-encrypt-apply-install/