Configure a free SSL Certificate in nginx
1. Background
Apple requires that the app submitted for review on January 1, must use https. Next, https will become a standard service for Internet companies. In fact, it takes only minutes for the background service to support both https and http. However, because https requires an ssl Certificate, the certificate is related to the domain name. So if the website is well planned. It is easy to configure. The domain name to be configured is * .domain.com. You only need to apply for a * .domain.com wildcard certificate. However, multiple subdomain names may exist. For example, if a third-level domain name is test.api.domain.com test.www.domain.com test.m.domain.com, the wildcard certificate cannot be completed. Generally, the certificate service provider provides certificates for multiple domain names.
Assume that an ssl certificate is required for six domain names www.domain.com, m.domain.com, api.domain.com, test.www.domain.com, test.m.domain.com, and test.api.domain.com.
In this article, choose Let's Encrypt free certificate. Advantages: 1. Free, 2. Although there is a validity period of 3 months, it can be automatically updated through scripts. 3. You do not have to register any account on the website of the other party. All the processes are done on the local machine.
2. Environment
1. This article uses centos 7.2.1511 and kernel version 3.10.0;
2. nginx has been installed. The version is nginx version: nginx/1.10.2;
3. The nginx working directory is/opt/service/nginx/. The directory is as follows:
- # Tree/opt/service/nginx/
- /Opt/service/nginx/
- | -- Conf
- | -- Domain.com. conf
- | -- Log->/opt/logs/nginx
- | -- Nginx->/usr/sbin/nginx
- | -- Nginx. pid
- | -- Nginx. sh
- | -- Ssl stores the ssl Certificate file directory
First, let's take a look at the files in the program directory after installation.
- # Tree/opt/service/nginx/
- /Opt/service/nginx/
- | -- Conf
- | -- Domain.com. conf
- | -- Log->/opt/logs/nginx
- | -- Nginx->/usr/sbin/nginx
- | -- Nginx. pid
- | -- Nginx. sh
- | -- Ssl
- | -- Account. key
- | -- Acme_tiny.py
- | -- Intermediate. pem
- | -- Signed. crt
- | -- Domain.com. crt
- | -- Domain.com. csr
- | -- Domain.com. key
- | -- Update_crt.sh
3. Installation of certificates requires a total of four wenj certificates
1. Generate a private key file
# Open SSL genrsa-out domain.com. key 2048
Generating RSA private key, 2048 bit long modulus
.................... ++
........................................ ........................................ .......................... ++
E is 65537 (0x10001)
2. Generate a csr based on the key file
Note:
A. Include all the domain names. B. The openssl. cnf path is not the same as here. First, check the file path in the system.
# Openssl req-new-sha256-key domain.com. key-subj "/"-reqexts SAN-config <(cat/etc/pki/tls/openssl. cnf <(printf "[SAN] \ nsubjectAltName = DNS: test.m.domain.com, DNS: test.www.domain.com, DNS: Taobao, DNS: www.domain.com, DNS: m.domain.com, DNS: Taobao")> domain.com. csr
3. Configure domain name verification
Before submitting a certificate application, you must inform the certificate Authorizer that this website belongs to you. First, make sure that dns is resolved to your machine, and the Internet can send normal requests through these domain names.
- Server {
- Listen 80 default backlog = 2048;
- Server_name www.domain.com m.domain.com api.domain.com test.www.domain.com test.api.domain.com test.m.domain.com;
- Charset utf8;
- Access_log/opt/service/nginx/log/domain.com. access. log main;
- Error_log/opt/service/nginx/log/domain.com. error. log error;
-
- Location ^ ~ /. Well-known/acme-challenge /{
- Alias/opt/service/www/challenges /;
- Try_files $ uri = 404;
- }
- Location /{
- Root/opt/service/www /;
- }
- }
Note: a. This configuration item only needs to be applied for/updated
. After the certificate application is complete, you do not need this configuration to deploy the machine. B. Restart nginx after modification
4. Create/update a certificate
# Cd/opt/service/nginx/ssl
# Openssl genrsa 4096> account. key
# Wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
# Chmod a + rwx acme_tiny.py
Note: a. Check whether python is installed on the preview machine. If not, install python.
Edit the certificate update script update_crt.sh (This script can also be used to create a certificate at the same time, generic)
- #! /Bin/bash
Cd/opt/service/nginx/ssl
Python acme_tiny.py -- account-key account. key -- csr domain.com. csr -- acme-dir/opt/service/www/challenges/> signed. crt | exit
Wget-O-https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem> intermediate. pem
Cat signed. crt intermediate. pem> domain.com. crt
/Opt/service/nginx. sh restart
Execute the update command
- #./Update_crt.sh
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying m.domain.com...
M.domain.com verified!
Verifying www.domain.com...
Www.domain.com verified!
Verifying test.m.domain.com...
Test.m.domain.com verified!
Verifying test.api.domain.com...
Test.api.domain.com verified!
Verifying test.www.domain.com...
Test.www.domain.com verified!
Verifying api.domain.com...
Api.domain.com verified!
Signing certificate...
Certificate signed!
-- 12:36:33 -- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
Resolving letsencrypt.org (letsencrypt.org)... 96.7.106.59, 2600: 1417: 8000: 389: 2a1f, 2600: 1417: 3aa: 2a1f
Connecting to letsencrypt.org (letsencrypt.org) | 96.7.106.59 |: 443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1647 (1.6 K) [application/x-x509-ca-cert]
Saving to: 'stdout'
100% [============================================== ========================================================== ========================================================== ============>] 1,647 --. -K/s in 0 s
12:36:33 (404 MB/s)-written to stdout [1647/1647]
5. Configure ssl for nginx
- # Vim ../conf/domain.com. conf
- Server {
- Listen 80 default backlog = 2048;
- Server_name domain.com;
- Charset utf8;
- Access_log/opt/service/nginx/log/domain.com. access. log main;
- Error_log/opt/service/nginx/log/domain.com. error. log error;
- Listen 443 ssl;
- Ssl_certificate/opt/service/nginx/ssl/domain.com. crt;
- Ssl_certificate_key/opt/service/nginx/ssl/domain.com. key;
- Ssl_session_cache shared: SSL: 10 m;
- Ssl_session_timeout 60 m;
- Ssl_session_tickets on;
- Ssl_prefer_server_ciphers on;
- Ssl_ciphers EECDH + CHACHA20: EECDH + AES128: RSA + AES128: EECDH + AES256: RSA + AES256: EECDH + 3DES: RSA + 3DES :! MD5;
- Location ^ ~ /. Well-known/acme-challenge /{
- Alias/opt/service/www/challenges /;
- Try_files $ uri = 404;
- }
- Location /{
- Root/opt/service/www /;
- }
- }
Start nginx. Use https://www.ssllabs.com/ssltest/analyze.html? Check