Configure a free SSL Certificate in nginx

Source: Internet
Author: User
Tags free ssl free ssl certificate ssl certificate letsencrypt

Configure a free SSL Certificate in nginx
1. Background

Apple requires that the app submitted for review on January 1, must use https. Next, https will become a standard service for Internet companies. In fact, it takes only minutes for the background service to support both https and http. However, because https requires an ssl Certificate, the certificate is related to the domain name. So if the website is well planned. It is easy to configure. The domain name to be configured is * .domain.com. You only need to apply for a * .domain.com wildcard certificate. However, multiple subdomain names may exist. For example, if a third-level domain name is test.api.domain.com test.www.domain.com test.m.domain.com, the wildcard certificate cannot be completed. Generally, the certificate service provider provides certificates for multiple domain names.
Assume that an ssl certificate is required for six domain names www.domain.com, m.domain.com, api.domain.com, test.www.domain.com, test.m.domain.com, and test.api.domain.com.
In this article, choose Let's Encrypt free certificate. Advantages: 1. Free, 2. Although there is a validity period of 3 months, it can be automatically updated through scripts. 3. You do not have to register any account on the website of the other party. All the processes are done on the local machine.

2. Environment

1. This article uses centos 7.2.1511 and kernel version 3.10.0;
2. nginx has been installed. The version is nginx version: nginx/1.10.2;
3. The nginx working directory is/opt/service/nginx/. The directory is as follows:


  1. # Tree/opt/service/nginx/
  2. /Opt/service/nginx/
  3. | -- Conf
  4. | -- Domain.com. conf
  5. | -- Log->/opt/logs/nginx
  6. | -- Nginx->/usr/sbin/nginx
  7. | -- Nginx. pid
  8. | -- Nginx. sh
  9. | -- Ssl stores the ssl Certificate file directory
First, let's take a look at the files in the program directory after installation.

  1. # Tree/opt/service/nginx/
  2. /Opt/service/nginx/
  3. | -- Conf
  4. | -- Domain.com. conf
  5. | -- Log->/opt/logs/nginx
  6. | -- Nginx->/usr/sbin/nginx
  7. | -- Nginx. pid
  8. | -- Nginx. sh
  9. | -- Ssl
  10. | -- Account. key
  11. | -- Acme_tiny.py
  12. | -- Intermediate. pem
  13. | -- Signed. crt
  14. | -- Domain.com. crt
  15. | -- Domain.com. csr
  16. | -- Domain.com. key
  17. | -- Update_crt.sh


3. Installation of certificates requires a total of four wenj certificates
1. Generate a private key file
# Open SSL genrsa-out domain.com. key 2048

Generating RSA private key, 2048 bit long modulus
.................... ++
........................................ ........................................ .......................... ++
E is 65537 (0x10001)

2. Generate a csr based on the key file
Note: A. Include all the domain names. B. The openssl. cnf path is not the same as here. First, check the file path in the system.
# Openssl req-new-sha256-key domain.com. key-subj "/"-reqexts SAN-config <(cat/etc/pki/tls/openssl. cnf <(printf "[SAN] \ nsubjectAltName = DNS: test.m.domain.com, DNS: test.www.domain.com, DNS: Taobao, DNS: www.domain.com, DNS: m.domain.com, DNS: Taobao")> domain.com. csr

3. Configure domain name verification
Before submitting a certificate application, you must inform the certificate Authorizer that this website belongs to you. First, make sure that dns is resolved to your machine, and the Internet can send normal requests through these domain names.

  1. Server {
  2. Listen 80 default backlog = 2048;
  3. Server_name www.domain.com m.domain.com api.domain.com test.www.domain.com test.api.domain.com test.m.domain.com;
  4. Charset utf8;
  5. Access_log/opt/service/nginx/log/domain.com. access. log main;
  6. Error_log/opt/service/nginx/log/domain.com. error. log error;

  7. Location ^ ~ /. Well-known/acme-challenge /{
  8. Alias/opt/service/www/challenges /;
  9. Try_files $ uri = 404;
  10. }

  11. Location /{
  12. Root/opt/service/www /;
  13. }
  14. }

Note: a. This configuration item only needs to be applied for/updated . After the certificate application is complete, you do not need this configuration to deploy the machine. B. Restart nginx after modification

4. Create/update a certificate
# Cd/opt/service/nginx/ssl
# Openssl genrsa 4096> account. key
# Wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
# Chmod a + rwx acme_tiny.py

Note: a. Check whether python is installed on the preview machine. If not, install python.

Edit the certificate update script update_crt.sh (This script can also be used to create a certificate at the same time, generic)

  1. #! /Bin/bash

    Cd/opt/service/nginx/ssl
    Python acme_tiny.py -- account-key account. key -- csr domain.com. csr -- acme-dir/opt/service/www/challenges/> signed. crt | exit
    Wget-O-https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem> intermediate. pem
    Cat signed. crt intermediate. pem> domain.com. crt
    /Opt/service/nginx. sh restart


Execute the update command

  1. #./Update_crt.sh
    Parsing account key...
    Parsing CSR...
    Registering account...
    Already registered!
    Verifying m.domain.com...
    M.domain.com verified!
    Verifying www.domain.com...
    Www.domain.com verified!
    Verifying test.m.domain.com...
    Test.m.domain.com verified!
    Verifying test.api.domain.com...
    Test.api.domain.com verified!
    Verifying test.www.domain.com...
    Test.www.domain.com verified!
    Verifying api.domain.com...
    Api.domain.com verified!
    Signing certificate...
    Certificate signed!
    -- 12:36:33 -- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
    Resolving letsencrypt.org (letsencrypt.org)... 96.7.106.59, 2600: 1417: 8000: 389: 2a1f, 2600: 1417: 3aa: 2a1f
    Connecting to letsencrypt.org (letsencrypt.org) | 96.7.106.59 |: 443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1647 (1.6 K) [application/x-x509-ca-cert]
    Saving to: 'stdout'




    100% [============================================== ========================================================== ========================================================== ============>] 1,647 --. -K/s in 0 s




    12:36:33 (404 MB/s)-written to stdout [1647/1647]

5. Configure ssl for nginx

  1. # Vim ../conf/domain.com. conf
  2. Server {
  3. Listen 80 default backlog = 2048;
  4. Server_name domain.com;
  5. Charset utf8;
  6. Access_log/opt/service/nginx/log/domain.com. access. log main;
  7. Error_log/opt/service/nginx/log/domain.com. error. log error;
  8. Listen 443 ssl;
  9. Ssl_certificate/opt/service/nginx/ssl/domain.com. crt;
  10. Ssl_certificate_key/opt/service/nginx/ssl/domain.com. key;
  11. Ssl_session_cache shared: SSL: 10 m;
  12. Ssl_session_timeout 60 m;
  13. Ssl_session_tickets on;
  14. Ssl_prefer_server_ciphers on;
  15. Ssl_ciphers EECDH + CHACHA20: EECDH + AES128: RSA + AES128: EECDH + AES256: RSA + AES256: EECDH + 3DES: RSA + 3DES :! MD5;
  16. Location ^ ~ /. Well-known/acme-challenge /{
  17. Alias/opt/service/www/challenges /;
  18. Try_files $ uri = 404;
  19. }
  20. Location /{
  21. Root/opt/service/www /;
  22. }
  23. }

Start nginx. Use https://www.ssllabs.com/ssltest/analyze.html? Check



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.