{"id":5534,"date":"2016-11-22T17:51:17","date_gmt":"2016-11-22T09:51:17","guid":{"rendered":"https:\/\/sdeno.com\/?p=5534"},"modified":"2016-11-22T17:54:26","modified_gmt":"2016-11-22T09:54:26","slug":"%e5%9c%a8nginx%e4%b8%ad%e9%85%8d%e7%bd%aessl","status":"publish","type":"post","link":"https:\/\/sdeno.com\/?p=5534","title":{"rendered":"\u5728nginx\u4e2d\u914d\u7f6eSSL"},"content":{"rendered":"<p>\u6700\u8fd1\u7a81\u7136\u60f3\u628a\u81ea\u5df1\u7684\u535a\u5ba2\u5f04\u6210HTTPS\uff0c\u4e5f\u4e0d\u662f\u4e3a\u4e86\u52a0\u5f3a\u5b89\u5168\uff0c\u53ea\u662f\u559c\u6b22\u6298\u817e\uff0c\u800c\u4e14\u611f\u89c9\u52a0\u4e2a\u7eff\u8272\u5c0f\u9501\u9177\u9177\u7684\u3002<br \/>\nHTTPS\u514d\u8d39\u8bc1\u4e66\u9881\u53d1\u673a\u6784\u6709startSSL\u548cletsencrypt\uff0c\u6211\u4f7f\u7528\u7684\u662fletsencrypt\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff0000;\">\u901a\u8fc7\u811a\u672c\u5b89\u88c5certbot-auto\uff1a<\/span><\/p>\n<pre>wget https:\/\/dl.eff.org\/certbot-auto\r\nchmod a+x certbot-auto<\/pre>\n<p>\u9700\u8981python\u7248\u672c\u662f2.6\u7684<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff0000;\">1. \u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/span><\/p>\n<p>\/etc\/letsencrypt\/configs\/wuyanxin.com.conf<\/p>\n<pre># the domain we want to get the cert for;\r\n # technically it's possible to have multiple of this lines, but it only worked\r\n # with one domain for me, another one only got one cert, so I would recommend\r\n # separate config files per domain.\r\n domains = wuyanxin.com \r\n \r\n # increase key size\r\n rsa-key-size = 2048 # Or 4096\r\n \r\n # the current closed beta (as of 2015-Nov-07) is using this server\r\n server = https:\/\/acme-v01.api.letsencrypt.org\/directory\r\n \r\n # this address will receive renewal reminders\r\n email = your-email\r\n \r\n # turn off the ncurses UI, we want this to be run as a cronjob\r\n text = True\r\n \r\n # authenticate by placing a file in the webroot (under .well-known\/acme-challenge\/)\r\n # and then letting LE fetch it\r\n authenticator = webroot\r\n webroot-path = \/data\/www\/wuyanxin.com\/<\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff0000;\">2. \u914d\u7f6enginx,\u8ba9Let&#8217;s Encrypt\u53ef\u4ee5\u8bbf\u95ee\u5230\u4e34\u65f6\u6587\u4ef6<\/span><\/p>\n<p>\u52a0\u4e0a\u8fd9\u4e2alocation\u5230\u4f60\u7684nginx\u914d\u7f6e\u4e2d<\/p>\n<pre>server {\r\n  listen 80 default_server;\r\n  server_name wuyanxin.com;\r\n \r\n  location \/.well-known\/acme-challenge {\r\n     root \/data\/www\/wuyanxin.com;\r\n  }\r\n ...\r\n }<\/pre>\n<p>\u9a8c\u8bc1\u914d\u7f6e\uff0c\u91cd\u542fnginx<\/p>\n<pre>sudo nginx -t &amp;&amp; sudo nginx -s reload<\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff0000;\">3. \u8bf7\u6c42\u8bc1\u4e66<\/span><\/p>\n<pre>.\/certbot-auto --config \/etc\/letsencrypt\/configs\/wuyanxin.com.conf certonly<\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff0000;\">4. \u914d\u7f6enginx 443\u7aef\u53e3\u6307\u5411\u8bc1\u4e66<\/span><\/p>\n<pre>server {\r\n  listen 443 ssl default_server;\r\n  server_name wuyanxin.com;\r\n \r\n  ssl_certificate \/etc\/letsencrypt\/live\/wuyanxin.com\/fullchain.pem;\r\n  ssl_certificate_key \/etc\/letsencrypt\/live\/wuyanxin.com\/privkey.pem;\r\n \r\n ...\r\n }<\/pre>\n<p>\u914d\u7f6ehttp\u8df3\u8f6c\u5230https<\/p>\n<pre>server {\r\n  listen 80;\r\n  server_name wuyanxin.com;\r\n  return 301 https:\/\/$server_name$request_uri;\r\n }<\/pre>\n<p>\u91cd\u542fNginx<\/p>\n<pre>sudo nginx -t &amp;&amp; sudo nginx -s reload<\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff0000;\">\u81ea\u52a8\u5237\u65b0\u8bc1\u4e66<\/span><br \/>\nLet&#8217;s encrypt \u7684\u8bc1\u4e66\u6709\u6548\u671f\u662f90\u5929\uff0c\u6240\u4ee5\u6211\u4eec\u5e94\u8be5\u5728\u8fc7\u671f\u4e4b\u524d\u5237\u65b0\u8bc1\u4e66\u3002<\/p>\n<p>\u51c6\u5907\u5982\u4e0b\u811a\u672c\uff0c\u4fdd\u5b58\u5230renew_letsencrypt.sh<\/p>\n<pre class=\"hljs bash\" style=\"color: #657b83;\"><code style=\"color: inherit;\"><span class=\"hljs-comment\" style=\"color: #93a1a1;\">#!\/bin\/sh<\/span>\r\n  \r\n  <span class=\"hljs-built_in\" style=\"color: #268bd2;\">cd<\/span> \/opt\/letsencrypt\/\r\n  .\/certbot certonly --config \/etc\/letsencrypt\/configs\/my-domain.conf\r\n  \r\n  <span class=\"hljs-keyword\" style=\"color: #859900;\">if<\/span> [ $? <span class=\"hljs-operator\">-ne<\/span> <span class=\"hljs-number\" style=\"color: #2aa198;\">0<\/span> ]\r\n   <span class=\"hljs-keyword\" style=\"color: #859900;\">then<\/span>\r\n          ERRORLOG=`tail \/var\/<span class=\"hljs-built_in\" style=\"color: #268bd2;\">log<\/span>\/letsencrypt\/letsencrypt.log`\r\n          <span class=\"hljs-built_in\" style=\"color: #268bd2;\">echo<\/span> <span class=\"hljs-operator\">-e<\/span> <span class=\"hljs-string\" style=\"color: #2aa198;\">\"The Let's Encrypt cert has not been renewed! \\n \\n\"<\/span> \\\r\n                   <span class=\"hljs-variable\" style=\"color: #b58900;\">$ERRORLOG<\/span>\r\n   <span class=\"hljs-keyword\" style=\"color: #859900;\">else<\/span>\r\n          nginx <span class=\"hljs-operator\">-s<\/span> reload\r\n  <span class=\"hljs-keyword\" style=\"color: #859900;\">fi<\/span>\r\n  \r\n  <span class=\"hljs-built_in\" style=\"color: #268bd2;\">exit<\/span> <span class=\"hljs-number\" style=\"color: #2aa198;\">0<\/span><\/code><\/pre>\n<p>\u5982\u679c\/var\/log\/letsencrypt\/\u4e0d\u5b58\u5728\u5c31\u5148\u521b\u5efa<br \/>\n\u5141\u8bb8crontab -e\u8bbe\u7f6e\u6bcf\u4e24\u4e2a\u6708\u5237\u65b0\u4e00\u6b21<\/p>\n<pre>0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * \/path\/to\/renew-letsencrypt.sh<\/pre>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/segmentfault.com\/a\/1190000007467737\" target=\"_blank\">\u00a0https:\/\/segmentfault.com\/a\/1190000007467737<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6700\u8fd1\u7a81\u7136\u60f3\u628a\u81ea\u5df1\u7684\u535a\u5ba2\u5f04\u6210HTTPS\uff0c\u4e5f\u4e0d\u662f\u4e3a\u4e86\u52a0\u5f3a\u5b89\u5168\uff0c\u53ea\u662f\u559c\u6b22\u6298\u817e\uff0c\u800c\u4e14\u611f\u89c9\u52a0\u4e2a\u7eff\u8272\u5c0f\u9501\u9177\u9177\u7684\u3002 HTTP [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39,9],"tags":[],"class_list":["post-5534","post","type-post","status-publish","format-standard","hentry","category-ubuntu","category-9"],"_links":{"self":[{"href":"https:\/\/sdeno.com\/index.php?rest_route=\/wp\/v2\/posts\/5534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sdeno.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sdeno.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sdeno.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sdeno.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5534"}],"version-history":[{"count":0,"href":"https:\/\/sdeno.com\/index.php?rest_route=\/wp\/v2\/posts\/5534\/revisions"}],"wp:attachment":[{"href":"https:\/\/sdeno.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sdeno.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5534"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sdeno.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}