用云旺的做IM,ios端图片地址只能是https的才能显示,所以为服务器增加证书

Let’s Encrypt是一个免费并且开源的CA,且已经获得Mozilla、微软等主要浏览器厂商的根授信

1. 下载let's encrypt

apt-get install python-software-properties 
apt-get install software-properties-common 
sudo add-apt-repository ppa:certbot/certbot 
apt-get update 
apt-get install certbot 

2.生成密钥

certbot certonly --standalone -d XXX.com

出现下面代表成功

[email protected]:/etc/letsencrypt# certbot certonly --standalone -d  51best.site 
Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Obtaining a new certificate 
Performing the following challenges: 
tls-sni-01 challenge for XXX.com 
Waiting for verification... 
Cleaning up challenges 
 
IMPORTANT NOTES: 
 - Congratulations! Your certificate and chain have been saved at: 
   /etc/letsencrypt/live/XXX.com/fullchain.pem 
   Your key file has been saved at: 
   /etc/letsencrypt/live/XXX.com/privkey.pem 
   Your cert will expire on 2017-12-27. To obtain a new or tweaked 
   version of this certificate in the future, simply run certbot 
   again. To non-interactively renew *all* of your certificates, run 
   "certbot renew" 
 - If you like Certbot, please consider supporting our work by: 
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate 
   Donating to EFF:                    https://eff.org/donate-le

默认是在 /etc/letsencrypt/live 路径下

3. 配置nginx

(1)方式一

listen 80 ;
listen 443 ssl; ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; listen [::]:443 ssl ipv6only=on;

(2)方式二

listen       443 ssl; 
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem; 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_prefer_server_ciphers on; 
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; 
listen [::]:443 ssl ipv6only=on;

通过https访问,成功。

通过http访问,失败。错误:ERR_CONNECTION_REFUSED

重定向http访问到https

server { 
        listen 80; 
        server_name XXX.com; 
        rewrite ^(.*) https://$server_name$1 permanent; 
}

访问http,成功

4. 重启nginx

/etc/init.d/nginx restart

http://XXX.com和https://XXX.com都可以访问

5.续期

  Let’s Encrypt 生成的免费证书为3个月时间,使用 certbot renew 可以无限免费续签 Https 证书

先关闭nginx

/etc/init.d/nginx stop
certbot renew --dry-run 
certbot renew

重启nginx

/etc/init.d/nginx restart

 注:

  如果遇到 [error] open() "/run/nginx.pid" failed (2: No such file or directory)

nginx -c /etc/nginx/nginx.conf

发布评论
IT源码网

微信公众号号:IT虾米 (左侧二维码扫一扫)欢迎添加!

windows下配置nodejs 在nginx下的反向代理讲解
你是第一个吃螃蟹的人
发表评论

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。