Nginx uses let's encrypt https certificate and enables http2 usage records

Nginx uses let's encrypt https certificate and enables http2 usage records
Let's encrypt usage record

Certbot installation instructions

The document on certbot's official website about centos6 and 7 found a python problem during the installation process. python 2.6 installed in centos6 fails to run with python 2.6; python 2.7 is provided in centos7. If pip is not installed, you need to install it manually. After pip is installed, certbot on 6 and 7 can run normally.Download python

Https://www.python.org/ftp/python/2.7.12/Python-2.7.12.tgz wget-c

Install python2.7

cd Python-2.7.12/./configure --prefix=/usr/localmakemake altinstall

Install pip

wget -c https://bootstrap.pypa.io/get-pip.pypython2.7 get-pip.py

Install certbot

wget https://dl.eff.org/certbot-autochmod a+x certbot-auto

Run to obtain the certificate

./certbot-auto certonly --standalone -d devservice.crazypandacam.com -d devadmin.crazypandacam.com -d devweb.crazypandacam.comIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at   /etc/letsencrypt/live/devservice.crazypandacam.com/fullchain.pem.   Your cert will expire on 2017-01-07. To obtain a new or tweaked   version of this certificate in the future, simply run certbot-auto   again. To non-interactively renew *all* of your certificates, run   "certbot-auto renew" - If you lose your account credentials, you can recover through   e-mails sent to lihui@goluk.com. - Your account credentials have been saved in your Certbot   configuration directory at /etc/letsencrypt. You should make a   secure backup of this folder now. This configuration directory will   also contain certificates and private keys obtained by Certbot so   making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-leYou have mail in /var/spool/mail/root./certbot-auto certonly --standalone -d testservice.crazypandacam.com -d testadmin.crazypandacam.com -d testweb.crazypandacam.comIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at   /etc/letsencrypt/live/testservice.crazypandacam.com/fullchain.pem.   Your cert will expire on 2017-01-07. To obtain a new or tweaked   version of this certificate in the future, simply run certbot-auto   again. To non-interactively renew *all* of your certificates, run   "certbot-auto renew" - If you like Certbot, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le

Upgrade nginx to start http2 support

Create the following file: Vi/etc/yum. repos. d/nginx. repo

[nginx]name=nginx repobaseurl=http://nginx.org/packages/centos/$releasever/$basearch/gpgcheck=0enabled=1

Run

Yum update nginx

Specific configuration file referenceMozilla Best Practices

Configuration example:Actual configuration of pixcar

Because pixcar must support both http and https and http2, the specific configuration and mozilla best practices are changed.

 server_name        pixcargoluk.com;    listen 443 ssl http2;    listen [::]:443 ssl http2;    ssl_session_timeout 1d;    ssl_session_cache shared:SSL:50m;    ssl_session_tickets off;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';    ssl_prefer_server_ciphers on;    add_header Strict-Transport-Security max-age=15768000;    ssl_stapling on;    ssl_stapling_verify on;    ssl_certificate    /etc/letsencrypt/live/service.crazypandacam.com/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/service.crazypandacam.com/privkey.pem;

Automatic renewal Certificate

Add a row to crontab

# Automating renewal Let's Encrypt certificates0 0 * * * /usr/local/bin/certbot-auto renew --quiet

After running the verification, we found that the original web service had to be stopped before we could use this command to update it, and changed it to the following:

# Automating renewal Let's Encrypt certificates0 0 * * * /usr/local/bin/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"

The above is centos6 and before. If it is centos7, replace it with the following

0 0 ***/usr/local/bin/certbot-auto renew -- pre-hook "systemctl stop nginx" -- post-hook "systemctl start nginx"