Nginx Configuration free HTTPS encryption certificate

Source: Internet
Author: User
Tags nginx server ssl certificate certbot letsencrypt

that's how Linux should learn 2018-05-11 .

Lab Environment: CentOS Linux release 7.3.1611 (Core)

Kernel version: Linux version 3.10.0-514.el7.x86_64

Nginx version: Nginx-1.13.0

Let's encrypt is a free, automated, open certification authority. Sponsored by many companies and organizations such as Mozilla, Cisco, Chrome, Facebook, and Akamai, the security is stable and reliable. Specific information can go to Letsencrypt official website for more details.

Today we take full advantage of lets encrypt let your website implement HTTPS encryption.

Official website: https://letsencrypt.org/

1. Installing Certbot and Source expansion packs

install -y epel-release

Certbot is the recommended client for let's encrypt official designation. With Certbot, you can automate the deployment of Let's Encrypt SSL certificates to add HTTPS encryption support to your website.

$ yumInstall Certbot
$ Certbot certonly
Saving DebugLogTo/var/Log/letsencrypt/letsencrypt.log
How wouldLikeTo authenticateWith the ACME CA?
How do you want to authenticate with the Acme CA?
-------------------------------------------------------------------------------
1:place filesIn WebrootDirectory (Webroot)
Place the file in the Webroot directory
2:spin up aTemporary webserver (Standalone
Use a temporary Web server (stand-alone directory)
-------------------------------------------------------------------------------
Select the appropriateNumber [1-2]Then [Enter] (pressCToCancel):1 "Choice1 return Car "
Enter Email address (usedFor urgent renewalandSecurity notices) (EnterCTo
Cancel): [Email protected] "Enter your email address for emergency updates and security notifications"
StartingNew HTTPSConnection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
PleaseRead the Termsof ServiceAt
Https://letsencrypt.org/documents/LE-SA-v1.1.1-august-1-2016.pdf. You must agree
InchOrderToRegisterWith the ACMEServerAt
https://acme-v01.api.letsencrypt.org/Directory
-------------------------------------------------------------------------------
(a) gree/(c) ancel:a "Select a enter to agree to the terms of service, C for refusal"
-------------------------------------------------------------------------------
Would you are willingToShare your email addressWith the Electronic Frontier
Foundation, a founding partnerof the Let' s Encrypt Project and the non-profit
Organization that develops Certbot? We ' dLikeTo send your email about EFFand
OurWorkToEncrypt the web, protect itsUsersand defend digital rights.
-------------------------------------------------------------------------------
(y) es/(N) o:y "If you would like to share your e-mail address, it is recommended to select Y Enter"
Please enterIn yourDomainName (s) (commaand/OrSpace separated) (EnterC
ToCancel): blog.renwole.com "Enter the domain name return"
Obtaining aNew Certificate
Performing theFollowing challenges:
http-01 ChallengeFor blog.renwole.com
Select the WebrootFor blog.renwole.com:
-------------------------------------------------------------------------------
1:enter ANew Webroot
Enter the site absolute path
-------------------------------------------------------------------------------
Press1 [Enter]ToConfirm the selection (pressCToCancel):1 "SELECT number1 return Car "
Input the WebrootFor blog.renwole.com: (EnterCToCancel):/home/www/blog.renwole.com "Enter the absolute path of the website to return"
WaitingFor verification ...
WaitingFor verification ...
Cleaning up challenges
GeneratingKey ( 2048 bits):/etc/letsencrypt/ keys/ 0001_key-certbot.pem
Creating CSR:/etc/letsencrypt/csr/ 0001_csr-certbot.pem
IMPORTANT NOTES:
-congratulations! Your Certificate and chain has been saved at
/etc/letsencrypt/live/blog.renwole.com/ Fullchain.pem. Your cert
would expire on : -08 -09. to obtain a new or tweaked version of
This certificate on the future, simply run CE Rtbot again. to
non-interactively renew *all* of your certificates, run "Certbot
Renew"
- If You Span>like Certbot, please consider supporting my work by:
Donating to Isrg/let ' s encry Pt:https://letsencrypt.org/donate
Donating to EFF:

Congratulations! Your SSL certificate and key link has been saved and your certificate will expire in 2017-08-09.
Note: You need to make sure that the Nginx 443 port is in a running state before generating the certificate, otherwise it will fail to generate a certificate.

2. Auto-Renewal

Certbot can be configured to automatically update certificates before the certificate expires. Because let's Encrypt SSL certificate is valid for 90 days, we recommend that you take advantage of this feature. You can test the automatic renewal of a certificate by running the following command:

$ sudo certbot --nginx certonly

If the above works correctly, you can schedule automatic updates by adding cron or systemd Scheduled tasks that run the following actions:

certbot renew

We write an auto-execute script that is recommended to be executed hourly:

$ sudo crontab -e

Add the following content:

0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

Save and Exit!

To see if the add succeeds through the command:

$ crontab -l
0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

Restart Crontab

$ systemctl status crond.service
$ systemctl restart crond.service

Observe whether crontab is executed by command:

$ tail -f /var/log/cron

If the certificate is renewed successfully, you can manage viewing the certificate information by using the following command:

$ certbot certificates

See the official documentation for more Certbot commands https://certbot.eff.org/docs/

3. Configure nginx.conf
Next, modify the Nginx configuration file, modify the sever segment, remove the corresponding comment, fill out the generated SSL certificate after ssl_certificate, fill in the generated key to Ssl_certificate_key, save and restart the Nginx server.

# vi /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/blog.renwole.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.renwole.com/privkey.pem;
# ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
}

Using Google Chrome access https://blog.renwole.com/can see the green Security Small lock icon, indicating that the site has been HTTPS encryption success.

Nginx Configuration free HTTPS encryption certificate

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.