阿里云Ubuntu 14.04 + Nginx + let's encrypt 搭建https访问

用云旺的做IM,ios端图片地址只能是https的才能显示,所以为服务器增加证书

Let’s Encrypt是一个免费并且开源的CA,且已经获得Mozilla、微软等主要浏览器厂商的根授信

1. 下载let's encrypt

apt-get install python-software-properties
apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

2.生成密钥

certbot certonly --standalone -d XXX.com

出现下面代表成功

root@iZ2zedq9lexkebewgjhhwzZ:/etc/letsencrypt# certbot certonly --standalone -d  51best.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for XXX.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/XXX.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/XXX.com/privkey.pem
   Your cert will expire on 2017-12-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

默认是在 /etc/letsencrypt/live 路径下

3. 配置nginx

(1)方式一

listen 80 ;
listen       443 ssl;
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
listen [::]:443 ssl ipv6only=on;

(2)方式二

listen       443 ssl;
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
listen [::]:443 ssl ipv6only=on;

通过https访问,成功。

通过http访问,失败。错误:ERR_CONNECTION_REFUSED

重定向http访问到https

server {
        listen 80;
        server_name XXX.com;
        rewrite ^(.*) https://$server_name$1 permanent;
}

访问http,成功

4. 重启nginx

/etc/init.d/nginx restart

http://XXX.com和https://XXX.com都可以访问

5.续期

  Let’s Encrypt 生成的免费证书为3个月时间,使用 certbot renew 可以无限免费续签 Https 证书

先关闭nginx

/etc/init.d/nginx stop
certbot renew --dry-run 
certbot renew

重启nginx

/etc/init.d/nginx restart

 注:

  如果遇到 [error] open() "/run/nginx.pid" failed (2: No such file or directory)

nginx -c /etc/nginx/nginx.conf
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/baby123/p/7607845.html