在此介绍如何使用Let’s Encrypt的免费SSL证书,需要在有管理权限的VPS上操作,然后参考以下方法自签域名证书。
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
mkdir -p /home/webroot/.well-known/acme-challenge #/home/webroot为网站目录
./letsencrypt-auto certonly --email [email protected] -d alair.cn,www.alair.cn --webroot -w /home/webroot --agree-tos #注意email、域名、和网站目录
签发成功后,会提示如/etc/letsencrypt/live/www.alair.cn/fullchain.pem;
的证书路径信息。
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.alair.cn/fullchain.pem. Your cert will
expire on 2016-03-14. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
接下来在Nginx中配置使用,如下代码
... ...
listen 443 ssl http2;
server_name www.alair.cn;
index index.html index.htm default.html default.htm;
root /home/webroot;
ssl_certificate /etc/letsencrypt/live/www.alair.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.alair.cn/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
... ...
注意:我在第一次签发时候提示无法连接DV服务器,经过排查是由于DNS原因,当时用的DNS服务器是Dnspod,更换为dns.he.net后正常了。