Tuesday, May 16, 2017

ubuntu 14 + Nginx 1.4.6 + let's encrypt ssl证书安装

Install certbot 工具

On Ubuntu 14.04
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot 
certbot certonly --webroot -w /var/www/example -d example .com -d www.example .com
注意:此时需要修改default站点 /etc/nginx/sites-enabled/default ,修改root到/var/www/example
并且打开autoindex       on;
而且需要在nginx.conf下取消其他服务器
打开自建host站点的配置文件修改如下:
server {
listen 80;

index index.html index.htm;

server_name example .com; #域名
rewrite ^(.*)$  https://$host$1 permanent; 
}

server {
listen 80;

index index.html index.htm;

server_name www.example .com; #域名
rewrite ^(.*)$  https://$host$1 permanent; 
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name example .com;
  ssl_certificate /etc/letsencrypt/live/example .com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example .com/privkey.pem;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_ciphers '×××××××××××××××××××';
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;

 location / {
 proxy_pass http://localhost:5000; # 自动代理
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection keep-alive;
 proxy_set_header Host $host;
 proxy_cache_bypass $http_upgrade;
 }

}
注意:let's encrypt 每三个月需要更新一次ssl证书,执行下列命令 certbot renew --dry-run
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)