先在StartSSL上申请免费一年的SSL证书,具体过程网上很多教程。然后把申请到的key和crt文件上传到服务器,比如/usr/local/nginx/certs/.
Nginx配置SSL证书
直接贴上我的nginx的部分配置:
server { listen 443; server_name domain.com www.domain.com ; ssl on; ssl_certificate /usr/local/nginx/ssl/ssl.crt; ssl_certificate_key /usr/local/nginx/ssl/ssl.key; if ($http_transfer_encoding ~* chunked) { return 444; } gzip on; if (-d $request_filename) { rewrite ^/(.*)([^/])$ $scheme://$host/$1$2/ permanent; } root /home/wwwroot/; ssi off; ssi_silent_errors off; ssi_types text/shtml; location / { index index.html index.htm index.shtml index.php; autoindex off; } location /nginx_status { stub_status on; access_log off; } location ~ (favicon.ico) { log_not_found off; access_log off; } location ~* .(gif|jpg|jpeg|png|bmp|swf)$ { expires 1y; } location ~* .(js|css)$ { expires 7d; } #------------ location ~* ^(.+).(php[3-9]?|phtm[l]?)(/.*)*$ { set $real_script_name $1.$2; set $path_info $3; if (!-f $document_root$real_script_name) { return 404; } fastcgi_pass 127.0.0.1:8999; fastcgi_param HTTPS on; include enable_php.conf; } }
现在重启Nginx,Chrome应该能正常显示Https.如果只想使用Https连接,可以再添加一个server,然后跳转到https
server { listen 80; server_name liuzhichao.com www.liuzhichao.com ; rewrite ^ https://$server_name$request_uri? permanent; }
解决Firefox不信任StartSSL证书问题
wget http://cert.startssl.com/certs/ca.pem wget http://cert.startssl.com/certs/sub.class1.server.ca.pem cat ca.pem sub.class1.server.ca.pem >> ca-certs.crt cat ca-certs.crt >> ssl.crt
再次重启Nginx,本想这下Firefox也应该能正常识别证书了,但是重启Nginx遇到了SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error错误。
[emerg]: SSL_CTX_use_certificate_chain_file("/usr/local/nginx/certs/ssl.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib) configuration file /usr/local/nginx/conf/nginx.conf test failed
这个的意思就是server.crt读取到意外错误行.这是因为我们在合并StartSSL提供的crt证书时,直接cat到了ssl.crt里。使用vi或者nano命令打开并编辑ssl.crt,找到:
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
修改为:
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
保存这个crt文件,再次重启Nginx服务,输入申请证书时私钥的密码,启动成功后,现在使用Firefox访问网站也能信任证书了。