Let's Encrypt 使用記錄

自己的騰訊云服務(wù)器上跑了點(diǎn)小應(yīng)用,本想著沒(méi)什么內(nèi)容就沒(méi)必要弄 https了,但是同學(xué)還是強(qiáng)烈建議我加上去。之后用http訪問(wèn)沒(méi)備案服務(wù)器會(huì)提示“該網(wǎng)站暫時(shí)無(wú)法訪問(wèn)”,https 的沒(méi)有這個(gè)影響,不禁覺(jué)得加上 https 是個(gè)明智的選擇。

## 安裝

在網(wǎng)上找到的大部分是從源代碼編譯開(kāi)始用的,找到一個(gè) certbot ,是用 PPA 裝的軟件,方便不少。

https://certbot.eff.org/

以我自己的配置來(lái)說(shuō)(Ubuntu 16.04 + Nginx),安裝的命令是這樣的:

$ sudo apt-get update

$ sudo apt-get install software-properties-common

$ sudo add-apt-repository ppa:certbot/certbot

$ sudo apt-get update

$ sudo apt-get install python-certbot-nginx

具體命令,在上面的鏈接中正確選擇好就會(huì)顯示。

## 配置

運(yùn)行 ``` sudo letsencrypt certonly ```

提示

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)

2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

選擇1

Please enter in your domain name(s) (comma and/or space separated)? (Enter 'c' to cancel):

根據(jù)提示輸入域名

出現(xiàn)類似于以下內(nèi)容就是正確配置了

```

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/domain.com/fullchain.pem. Your cert will

expire on 2017-10-13. To obtain a new or tweaked version of this

certificate in the future, simply run certbot again. To

non-interactively renew *all* of your certificates, run "certbot

renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:? https://letsencrypt.org/donate

Donating to EFF:? ? ? ? ? ? ? ? ? ? https://eff.org/donate-le

生成2048位 DH parameters:

sudo openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

## 修改 Nginx 配置

在 /etc/nginx/sites-enabled 下新建文件,添加以下內(nèi)容

server {

listen 443 ssl;

server_name domain.com;

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

ssl_dhparam /etc/ssl/certs/dhparams.pem;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-A? ? ES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-S? ? HA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-? ? AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S? ? HA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC? ? 3-SHA';

ssl_prefer_server_ciphers on;

}

重啟 Nginx 后即可生效。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容