证书申请的:
1.lets encrypt 国际公益项目发展很快的,不过在国内暂时有些支持度还不够高,如微信安卓版就不认lets encrypt的证书。跳转进去一直处于空白页状态
2.沃通证书 国内的免费证书,支持度高些 http://freessl.wosign.com/freessl?tg=bd
证书替换:
1.在/usr/local/nginx/sslcert建个证书域名文件夹 如web.wo51go.com 包含(lets encrypt:ca_bundle.crt、certificate.crt、private.key) (沃通:1_zks.wo51go.com_bundle.crt 2_zks.wo51go.com.key )
2.在ngnix里面配置
server {
listen 443 ssl;
server_name zks.wo51go.com;
#lets encrypt
# ssl_certificate /usr/local/nginx/sslcert/web.wo51go.com/certificate.crt;
# ssl_certificate_key /usr/local/nginx/sslcert/web.wo51go.com/private.key;
#沃通
ssl_certificate /usr/local/nginx/sslcert/zks.wo51go.com/1_zks.wo51go.com_bundle.crt;
ssl_certificate_key /usr/local/nginx/sslcert/zks.wo51go.com/2_zks.wo51go.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
location / {
# root /opt/dis_app/static;
# index index.html index.htm;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://zks.wo51go.com;
}
}
3.http 转https
# server {
# listen 80;
# server_name web.wo51go.com;
# rewrite ^(.*)$ https://$host$1 permanent;
# }
经过以上配置大体就可以了。
碰到的问题
1.升级https后,页面里面不能使用http的链接,尤其是js文件,如果引用的是http,就不会执行。图片的话,会执行,但是在浏览器里面用DEBUG看会有警告。
2.安卓版微信对lets encrypt签名的证书不支持,会导致页面空白