letsencrypt (opens new window) 为1.8亿个网站提供TLS证书的非盈利性证书颁发机构

安装 letsencrypt

apt install letsencrypt

生成 ssl 所需证书文件

注意: 生成的时候要先停止 nginx

letsencrypt certonly --standalone --email your@mail.com -d text1.com -d text2.com

成功生成如下:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx/fullchain.pem. Your cert
will expire on 2020-05-19. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

证书有效期只有 90 天, 免费续期的命令如下

letsencrypt certonly --renew-by-default --email your@mail.com -d text1.com -d text2.com

配置 crontab 定时任务, 自动续期

编写自动续期脚本, updateHttps.sh

sudo service nginx stop

/usr/bin/letsencrypt certonly --renew-by-default --email your@mail.com -d text1.com -d text2.com

sudo service nginx start

crontab -e

* * 1 * * /realpath/updateHttps.sh

修改 nginx.conf, 添加 https

server {
	# 强制跳转https
	if ($scheme = http) {
	   return 301 https://$server_name$request_uri;
	}

	listen 443 ssl;
	ssl_certificate   /etc/letsencrypt/live/text1.comfullchain.pem;
	ssl_certificate_key  /etc/letsencrypt/live/text1.comprivkey.pem;
	ssl_session_timeout 5m;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

}