一、https配置
1.0 环境
系统:CentOS7
[root@www ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
nginx:nginx/1.12.2
域名:sample.com 这里以这个域名举例
1.1 安装Certbot Let's Encrypt Client
sudo yum install -y epel-release
sudo yum install -y certbot-nginx
1.2 配置nginx
# 安装nginx,如果未安装
sudo yum install nginx
# 启动nginx
sudo systemctl start nginx
# 配置nginx
sudo vi /etc/nginx/nginx.conf
# server_name sample.net www.sample.net;
# 验证nginx配置文件
sudo nginx -t
# 重启nginx
sudo systemctl reload nginx
1.3 配置防火墙
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent
1.4 获取证书
# 这个地方有坑,解决方案见参考文件中的ImportError的两个网页
sudo certbot --nginx -d sample.net -d www.sample.net
1.5 配置Diffie-Hellman参数
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
sudo vi /etc/nginx/nginx.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
sudo nginx -t
sudo systemctl reload nginx
1.6 验证
查看/etc/nginx/nginx.conf
# http配置转发到https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
# https配置
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/h2o1k.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/h2o1k.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name www.sample.net sample.net; # managed by Certbot
root /usr/local/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
验证nginx配置文件并重启nginx
访问 http://example.com 看是否重定向到https了
1.7 配置自动续费
sudo crontab -e
15 3 * * * /bin/certbot renew --quiet