HTTP upgrade to HTTPS need to add the certificate information in Nginx configuration, query the data to determine the generation of certificates two scenarios First: Self-signed certificate, then turn on CloudFlare CDN service //Determine if OpenSSL is installedwhich OpenSSL//If it is not installed, it can be installed by means of apt-get or yum.sudo apt-get install OpenSSL//Generate an RSA key file named "Ssl.key": Execution result: Generate Ssl.pass.key and Ssl.keyOpenSSL genrsa-des3-passout pass:x-out ssl.pass.key 2048OpenSSL rsa-passin pass:x-in ssl.pass.key-out ssl.key//Delete intermediate filesRM Ssl.pass.keyNext, use the generated Ssl.key file to further generate the SSL.CSR file:OpenSSL req-new-key ssl.key-out SSL.CSRThe execute this line command prompts for a password, press ENTER, because we chose to leave the password blank when we generated ssl.key. Finally, we use the Ssl.key and SSL.CSR files generated earlier to generate the Ssl.crt file, which is the self-signed SSL certificate file:OpenSSL x509-req-days 365-in ssl.csr-signkey ssl.key-out ssl.crtAfter this step, we get a self-signed SSL certificate file ssl.crt, valid for 365 days. At this point, the SSL.CSR file is no longer needed and can be deleted:RM SSL.CSR Reference Address:https://hinine.com/create-and-deploy-a-self-signed-ssl-certificate-to-nginx/ the second: With the help of let ' s Encrypt Let ' s Encrypt introductionif you want to enable HTTPS, we need to obtain a certificate from the certificate Authority (hereinafter referred to as CA), let's Encrypt is a CA. We can get a free certificate of the website domain name from let's Encrypt. Certbot IntroductionCertbot is the official recommended by let's Encrypt to obtain the certificate of the client, can help us get a free lets ' s Encrypt certificate. 1. Download Certbotit is best to address them on the official website:https://certbot.eff.org/ 2. Generate a FREE certificateofficial documents have a more detailed description, according to their own circumstances to choosehttps://certbot.eff.org/docs/using.html Note: The official limit of the number of applications per week, if you do development testing, the generation of certificates with the--staging parameter, so you do not have to worry about the number of restrictions Here are a few wayseither way, the essence is to verify that you have the domain name, but the way to achieve different 1>webroot method, this method creates the. Well-known folder in the server site directory that you configured, which contains some validation files that Certbot access http://example.com/. Well-known/acme-challenge to verify that your domain name is bound to this server If you don't create a site yourself, you can add a more general configuration yourself.Location ^~/.well-known/acme-challenge/{default_type ' text/plain '; root/usr/share/nginx/html;} location =/.well -known/acme-challenge/{return 404;} certbot certonly--webroot-w Web site root-d example.com-w Web site root-d www.example.com 2>standalone method, if you do not want to use your own server, this method is a choice, but need to be careful to close the corresponding port or 80 or 443 (in the way you choose to decide)using 80 ports: Certbot certonly--standalone--preferred-challenges http-d example.comusing 443 ports: Certbot certonly--standalone--preferred-challenges tls-sni-d example.com 3>manual method, if you want to generate certificates under any Linux host, this method may be a choice, but note that the validation process generates a string that requires you to add this random string to your DNS server to complete the validation operation.Certbot certonly--manual--preferred-challenges dns-d archerwong.cn 3. Delete the certificate, if you add the--stagin parameter when you build, the following command will also be addedCertbot Revoke--cert-path/etc/letsencrypt/live/example.com/cert.pemCertbot Delete--cert-name example.com 4. Certificate Updatessudo certbot renew--dry-run 5. Rich selection of parametersAll of the above commands can be added to many parameters, it is best to find the official documentshttps://certbot.eff.org/docs/using.html of course, the official provides a number of ways to generate certificates, you can choose according to your own actual situation after the certificate is generated, we can see the folder of the corresponding domain name in the/etc/letsencrypt/live/directory, which contains some shortcuts to the certificate. after the certificate is generated, configure the Nginx Open the Nginx server configuration file by adding the following settings:server {listen 443 SSL on;ssl_certificate/etc/letsencrypt/live/website domain name/FULLCHAIN.PEM;ssl_certificate_key/etc/letsencrypt/live/website domain name/PRIVKEY.PEM;# # Other configurations} Force Jump HTTPSHTTPS By default is listening on port 443, the default is 80 port if HTTPS access is not turned on. If you are sure that the site on port 80 will support HTTPS, add the following accessory to automatically redirect to HTTPSserver {Listen;server_name your.domain.com;return 301 https://$server _name$request_uri;} Reference Address:https://zhuanlan.zhihu.com/p/21286171https://zhuanlan.zhihu.com/p/24996258
Generate an HTTPS certificate and configure it for free
