Let'sEncrypt:为CentOS/RHEL7下的nginx安装https支持具体案例

环境说明:

centos 7
nginx 1.10.2


前期准备

软件安装

yum install -y epel-release
yum install -y certbot


创建目录及链接

方法1&＃xff1a;在网站根目录下创建一个.well-known的目录
方法2&＃xff1a;
mkdir -p /usr/local/nginx/cert/.well-known
ln -s /usr/local/nginx/cert/.well-known /data/www/example.com/.well-known
ln -s /usr/local/nginx/cert/.well-known /data/www/test.example.com/.well-known


命令执行

certbot certonly --webroot -w /usr/local/nginx/cert -d example.com -d test.example.com根据提示进行操作&＃xff0c;一般可以正常生产证书文件。
证书文件的目录存放在: &＃39;/etc/letsencrypt/live/example.com/&＃39;
会有4个文件:
cert.pem
chain.pem
fullchain.pem
privkey.pem特别要注意&＃xff0c;这条命令只会将生成的证书放在这个目录&＃xff0c;不会有一个/etc/letsencrypt/live/test.example.com/目录&＃xff0c;test.example.com的证书和example.com的证书放在一起了&＃xff0c;具体看后面的nginx配置。


nginx配置

server {listen 443 ssl http2;server_name example.com;index index.html index.htm index.php;root /data/www/example.com;ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;ssl_ciphers "EECDH&＃43;AESGCM:EDH&＃43;AESGCM:AES256&＃43;EECDH:AES256&＃43;EDH";ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;access_log off;
}server {listen 443 ssl http2;server_name test.example.com;index index.html index.htm index.php;root /data/www/test.example.com;ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;ssl_ciphers "EECDH&＃43;AESGCM:EDH&＃43;AESGCM:AES256&＃43;EECDH:AES256&＃43;EDH";ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;access_log off;
}


定期更新


crontab -e # 新增如下定时任务
10 6 * * * /bin/certbot renew --quiet &>/dev/nullLet&＃39;s Encrypt 的证书有效期为90天&＃xff0c;如果证书的有效期大于30天&＃xff0c;则上面命令不会真的去更新证书的。


https测试

在浏览器输入 https://example.com 网址进行验证&＃xff0c;一般Chrome会有一个绿色的锁以及Secure标示。