使用letsencrypt搞了一套免费SSL证书,绿了,看着就舒服,看看老哥的大A (虽么h2老钱 的A+牛)
1.准备 下载Certbot:https://github.com/certbot/certbot
2.注册 移步解压目录,执行命令,如果没错,应有类似如下提示
1 ./certbot-auto certonly --standalone --email 邮箱地址 -d 域名1 -d 域名2 ... -d 域名n
3.配置(Nginx) 直接贴上本站配置。重启Nginx即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 server { listen 80; listen 443 ssl; ssl on; ssl_certificate /etc/letsencrypt/live/域名/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/域名/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 密码套件来自 http://www.oschina.net/translate/strong_ssl_security_on_nginx ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; if ($scheme = http){ rewrite ^(.*)$ https://$host$1 permanent; } location ~ /\. { deny all; } location ~ /.well-known { allow all; } # and so on }
过期咋办? 证书过期时间为90天,所以需要定期的执行重新注册命令。当然,一个定时任务就搞定
1 2 ./certbot-auto renew --dry-run ./certbot-auto renew -v
常见问题 1. 证书注册失败?
Failed authorization procedure. chenzhihao.cc (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data
首先检查Nginx配置文件是否正确
关闭防火墙
2. 配置好为何无法访问? 没有什么是重启一下Nginx解决不了的,重启后肯定会有报错
3. 为什么我无法重新注册?
Attempting to renew cert (域名) from /etc/letsencrypt/renewal/域名.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
在完全杀掉Nginx后执行重新注册命令,然后启动Nginx
4. 为毛有的页面绿,有的不绿? 检查不绿页面是否有单纯的 http:// 链接,有则改之
