新版Snap方式

一、基本环境

1、安装依赖

yum install openssl
yum install epel-release -y

2、生成2048位 DH parameters:

$ sudo openssl dhparam -out /etc/letsencrypt/live/dhparams.pem 2048

3、安装cerbot工具

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto(赋予执行权限)

二、DNS指向及域名的http服务

三、域名验证

1、nginx配置文件

location /.well-known/acme-challenge/ {    
    allow all;  
}

2、生成证书,以下命令首次执行需要安装一些依赖包

sudo /usr/sbin/certbot-auto certonly --webroot -w /home/wwwroot/www.pgkid.com/public -d www.pgkid.com,pgkid.com --email zjiphp@163.com
第一次执行不建议自动确认参数  --agree-tos

3、如果使用apache,移除apache的干扰

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org
service httpd restart

4、修改配置nginx文件

if ($scheme = http)    {    
    #return 301 https://$server_name$request_uri; (强制跳转)    
}    
location ~ /.well-known {        
    allow all;    
}    
listen 443 ssl;    
ssl_certificate      /etc/letsencrypt/live/hs.123.com/fullchain.pem;    
ssl_certificate_key /etc/letsencrypt/live/hs.123.com/privkey.pem;    
ssl on;    
ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;    
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';    
ssl_prefer_server_ciphers on;    
ssl_session_cache shared:SSL:20m;    
ssl_session_timeout 20m;    
ssl_dhparam /etc/letsencrypt/live/dhparams.pem;

5、nginx重新加载

nginx -s reload

6、打开防火墙端口

firewall-cmd --zone=public --add-port=443/tcp  firewall-cmd --zone=public --add-port=443/tcp --permanent    firewall-cmd --list-all 查看效果

7、浏览器测试

8、证书自动更新

* * */5 * * /home/ssl/certbot-auto renew --quiet > /dev/null 2>&1 ; /usr/local/nginx/sbin/nginx -s reload
Last modification:August 20, 2021
© Allow specification reprint
如果觉得我的文章对你有用,请随意赞赏