使用免费Let's Encrypt证书

在此介绍如何使用Let’s Encrypt的免费SSL证书，需要在有管理权限的VPS上操作，然后参考以下方法自签域名证书。

git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
mkdir -p /home/webroot/.well-known/acme-challenge  #/home/webroot为网站目录
./letsencrypt-auto certonly --email [email protected] -d alair.cn,www.alair.cn --webroot -w /home/webroot --agree-tos #注意email、域名、和网站目录

签发成功后，会提示如/etc/letsencrypt/live/www.alair.cn/fullchain.pem;的证书路径信息。

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.alair.cn/fullchain.pem. Your cert will
expire on 2016-03-14. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

接下来在Nginx中配置使用，如下代码

... ...
listen 443 ssl http2; 
server_name www.alair.cn;   
index index.html index.htm default.html default.htm;
root /home/webroot;           
ssl_certificate /etc/letsencrypt/live/www.alair.cn/fullchain.pem;  
ssl_certificate_key /etc/letsencrypt/live/www.alair.cn/privkey.pem; 
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
... ...

注意:我在第一次签发时候提示无法连接DV服务器，经过排查是由于DNS原因，当时用的DNS服务器是Dnspod，更换为dns.he.net后正常了。