zoukankan      html  css  js  c++  java

  • 阿里云Ubuntu 14.04 + Nginx + let's encrypt 搭建https访问

    用云旺的做IM,ios端图片地址只能是https的才能显示,所以为服务器增加证书

    Let’s Encrypt是一个免费并且开源的CA,且已经获得Mozilla、微软等主要浏览器厂商的根授信

    1. 下载let's encrypt

    apt-get install python-software-properties
apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

    2.生成密钥

    certbot certonly --standalone -d XXX.com

    出现下面代表成功

    root@iZ2zedq9lexkebewgjhhwzZ:/etc/letsencrypt# certbot certonly --standalone -d  51best.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for XXX.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/XXX.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/XXX.com/privkey.pem
   Your cert will expire on 2017-12-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

    默认是在 /etc/letsencrypt/live 路径下

    3. 配置nginx

    (1)方式一

    listen 80 ;
    listen       443 ssl;
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
listen [::]:443 ssl ipv6only=on;

    (2)方式二

    listen       443 ssl;
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
listen [::]:443 ssl ipv6only=on;

    通过https访问,成功。

    通过http访问,失败。错误:ERR_CONNECTION_REFUSED

    重定向http访问到https

    server {
        listen 80;
        server_name XXX.com;
        rewrite ^(.*) https://$server_name$1 permanent;
}

    访问http,成功

    4. 重启nginx

    /etc/init.d/nginx restart

    http://XXX.com和https://XXX.com都可以访问

    5.续期

      Let’s Encrypt 生成的免费证书为3个月时间,使用 certbot renew 可以无限免费续签 Https 证书

    先关闭nginx

    /etc/init.d/nginx stop
    certbot renew --dry-run 
    certbot renew

    重启nginx

    /etc/init.d/nginx restart

     注:

      如果遇到 [error] open() "/run/nginx.pid" failed (2: No such file or directory)

    nginx -c /etc/nginx/nginx.conf
  • 相关阅读:
    无规矩不成方圆,聊一聊 Spring Boot 中 RESTful 接口设计规范
    一次SQL查询优化原理分析(900W+数据,从17s到300ms)
    重磅!GitHub官方开源新命令行工具
    JVM调优的反思与总结
    SpringMVC 进阶版
    《四大点,搞懂Redis到底快在哪里?》
    《Docker基础与实战,看这一篇就够了》
    带你从头到尾捋一遍MySQL索引结构
    MySQL信息提示不是英文问题
    完美解决windows+ngnix+phpcgi自动退出的问题
  • 原文地址:https://www.cnblogs.com/baby123/p/7607845.html
Copyright © 2011-2022 走看看