Before we have talked about how to siteOpen Full Site SSL Now we take a look at how the vps to Nginx open Let's Encrypt certificate and automatically update。
The contents of this article older,About letsencrypt configuration article,I wrote a new,Perhaps you can refer to a look:letsencrypt tool renamed certbot
Set the environment
First of all,We should prepare the installation environment,This time I am using CentOS 6.7 Final,If you are using Ubuntu ,It may be different in some way,But should be similar。First, we need to prepare the environment,Some of these already built in your vps,Some of you need to update,While others are not installed:
1 |
yum -y install git bc |
Other than that,You need to use to pip,If you did not pre-vps,Please refer toThis articleTo upgrade。
installation
Here we assume that you have configured Nginx ,Now we clone a Let's Encrypt package available from Github:
1 |
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt |
From now on,Let's Encrypt us to access the directory at execution letsencrypt-auto Well let it complete the initialization。
1 2 3 |
cd /opt/letsencrypt/ ./letsencrypt-auto |
Here you might encounter virtualenv : command not found. This error,Then you need to perform pip install virtualenv To install the missing packages,Then initialized。
Once the initialization is complete,We can certificate signed!
Use the built-in plug-in to obtain a certificate
Use built-ins WebRoot benefits of obtaining a certificate is that we can use directly Nginx HTTP service provided without the need to make a temporary shutdown Nginx good 80 port!
Edit the configuration file Nginx /usr/local/nginx/conf/nginx.conf ,Insert the following in the appropriate location inside:
1 2 3 |
location ~ /.well-known { allow all; } |
The modified configuration file should look like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
//部分隐去 server { listen 80 default_server; #listen [::]:80 default_server ipv6only=on; server_name www.lnmp.org; index index.html index.htm index.php; root /home/wwwroot/default; #error_page 404 /404.html; include enable-php.conf; location /nginx_status { stub_status on; access_log off; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /\. { deny all; } location ~ /.well-known { allow all; } access_log /home/wwwlogs/access.log access; } |
Remember to insert server Large internal braces。
Now you can restart Nginx: nginx -t && service nginx restart ,If an error,Description of your configuration file and not changing for the better。
Next, use the command to obtain a certificate,During the consent agreement and will ask you to enter a mailbox,Purpose is to restore and upgrade key for the future:
1 2 3 |
cd /opt/letsencrypt ./letsencrypt-auto certonly -a webroot --webroot-path=/home/wwwroot/default/your-web-home -d example.com -d www.example.com |
It is worth mentioning that,You need root privileges to perform。Other than that,Your domain name mustdirectPoint your vps address,If you use something like CDN acceleration DNS,Cancel the job needs,Because they will hide your real IP server。
Upon successful completion of,You should be able at /etc/letsencrypt/live/your_domain_name This directory to find the certificate you!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to lomyr.jo@gmail.com. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.logcg.com/fullchain.pem. Your cert will expire on 2016-08-14. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
Then execute the following command to generate Diffie - Hellman key To enhance security:
1 |
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 |
After a lengthy wait is to configure Nginx use the SSL。
Nginx configuration of SSL
Anyway,Find the corresponding site's configuration file in your Nginx configuration directory website,You will find that they are only about 80 Listening port,We first get rid of it:
1 2 3 4 5 6 7 |
server { listen 80; #listen [::]:80; return 301 https://www.logcg.com$request_uri; server_name www.logcg.com logcg.com; } |
So let Nginx met automatically forwarded to HTTPS when HTTP access。
Then we add 443 Port Listener,This configuration file in the same top row to start:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
server { listen 443 ssl; server_name example.com www.example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000; location ~ /.well-known { allow all; } # The rest of your server block root /usr/share/nginx/html; index index.html index.htm index.php default.html default.htm default.php; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; # Uncomment to enable naxsi on this location # include /etc/nginx/naxsi.rules } } |
Note that this should example.with Change for your domain,Then root /usr/share/nginx/html; This line exchange for your Web Directory。
From now on,Restart your Nginx again nginx -t && service nginx restart Then try to open the page with a browser to test the results of it:https://www.ssllabs.com/ssltest/analyze.html?d=www.logcg.com
Do not worry,There renewal
Since Let's Encrypt is issued free of charge,for safety,It provides only a three-month validity - the government has also encouraged the use of automated configuration to complete renewal,Anyway,you can use ./letsencrypt-auto renew Manually complete renewal,Or you can use your own Linux Task Scheduler function。
1 |
crontab -e |
If you do not find the commands appear in the implementation of this order,Then use the following command to install it:
1 |
yum -y install vixie-cron crontabs |
Anyway,Write the following in the open file:
1 2 |
30 3 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log 35 3 * * 1 service nginx restart |
Add the task to perform updates certificate at half past three every Monday,This will ensure that your certificate will always be the latest。
Original article written by LogStudio:R0uter's Blog » Let's Encrypt using the VPS configure SSL for Nginx
Reproduced Please keep the source and description link:https://www.logcg.com/archives/1709.html
It can be used year!
Let's Encrypt trouble feeling na, I now use AlphaSSL wildcard domain, Simple and crude….Case is free…
I looked at,Why not need $ 149? ? ? (Pan-domain certificate)
Fill in your own domain name to generate csr * .domain, Send me mail, I can help you get a certificate!
Ha sorry too busy recently,Dali did not attend blog。。。Saying this certificate is valid for how long?
It can be used year!
what,Thanks ~ this is also good with a temporary。I did a renewal of scheduled tasks automatically check weekly,And currently there is no pan-domain requirements,Any future find you slightly ~ XD
Must have webmaster@logcg.com or admin@logcg.com E-mail, Which you send me together under.
That use nginx and apache package manager to install the almost one-button ......
But own translation,Many people will not try letsencrypt-auto,So long as certonly ha ha ~
I always certonly,It is the beginning of a standalone,Hey。
I am also a standalone,However, it temporarily shut down web server。
If you use a CDN words,In fact, I do not know that is how I configured certificate (also used on the server's self-signed certificate instead) ......
Just go to the next test cf,Open Development Mode and Pause website can not do
Vps must point should be the job ......? I also guess。
I think so too,After all, CDN is essentially also a middleman hijacking Well ~
um hum。You can hide the real server IP,China is not regarded cloudflare node to shield it
I guess not Σ( ° △ °|||)︴ cf only occasionally hit the wall,Refresh like。In case this day came,I have resolved back to the IP
I used to use cf,Later node is a large wall would not have。Later cf and domestic Baidu or who collaborated,Then international edition seems to have abandoned me to die。Anyway, now I'm fast enough,Directly run just fine
cf domestic and Baidu cooperation,Called "Baidu cloud acceleration",Your server in Hong Kong will inevitably Kuaia ~ In fact, I think,Or I resolved back to the mainland trip。Because I did not get me the domain name resolves to the record on the Tencent cloud。。
In fact, look at the words carefully optimized,We should not slow
~ Slow to process ssl /(¨Ò o ¨Ò)/~~
Haha
You have problems opening and Website Reviews,Gnaw on cloudflare ah,Go and repair it
Oops,Just do through the CDN Well let's encrypt,The web server is temporarily stopped,So I guess it should be 503 ~
513like,Very strange code anyway
inevitable,Because the server turned off,You may also cache page