Recently, Google and Firefox have blocked most of the domestic CA institutions, resulting in the use of the domestic CA method of the certificate in the Chrome browser display as unsafe sites, foreign certificates are more expensive, found an open source free Certificate Authority Let's encrypt,
By the Mozilla, Cisco, Akamai, Identrust, eff and other organizations to initiate, more authoritative, the following example is Nginx
The deployment installation process on the instance.
1. Install client Script
Curl Https://get.acme.sh | Sh
Automatically add a task to the scheduled task automatically updates the certificate when the installation is complete automatically, because the certificate should be valid for 90 days
Auto-Renewal Required
0 * * * "/root/.acme.sh"/acme.sh--cron--home "/root/.acme.sh" >/dev/null
Configure the 80 port of the domain name so let's encrypt can verify that the domain name is located on the server belonging to your management
server {
Listen 80;
server_name app.lhz.cc;
Location ^~/.well-known/acme-challenge/{
alias/var/www/challenges/.well-known/acme-challenge/;
}
Location/{
Rewrite ^ (. *) $ https://app.lhz.cc permanent;
}
Access_log/var/log/nginx/emmaapp80.log main;
}
2. Generate certificate key, etc.
/root/.acme.sh/acme.sh--issue-d app.lhz.cc-w/var/www/challenges/
[Fri 4 15:58:13 CST 2017] Registering account
[Fri 4 15:58:15 CST 2017] Registered
[Fri 4 15:58:16 CST 2017] Update Account TOS Info success.
[Fri 4 15:58:16 CST 2017] Account_thumbprint= ' Kzgy....sg9 ... Kxzohj_pwj0u '
[Fri 4 15:58:16 CST 2017] Creating Domain key
[Fri 4 15:58:16 CST 2017] The domain key is here:/root/.acme.sh/app.lhz.cc/app.lhz.cc.key
[Fri 4 15:58:16 CST 2017] Single domain= ' app.lhz.cc '
[Fri 4 15:58:16 CST 2017] Getting domain Auth token for each domain
[Fri 4 15:58:16 CST 2017] Getting webroot for domain= ' app.lhz.cc '
[Fri 4 15:58:16 CST 2017] Getting New-authz for domain= ' app.lhz.cc '
[Fri 4 15:58:18 CST 2017] The New-authz request is OK.
[Fri 4 15:58:18 CST 2017] Verifying:app.lhz.cc
[Fri 4 15:58:23 CST 2017] Success
[Fri 4 15:58:23 CST 2017] Verify finished, start to sign.
[Fri 4 15:58:25 CST 2017] Cert success.
-----BEGIN CERTIFICATE-----
Miie9zcca9+gawibagisbkxwthlejciijt9o9+fllcgfma0gcsqgsib3dqebcwua
expmzxqncybfbmnyexb0ief1dghvcml0esbymzaefw0xnza4mdqwnju4mdbafw0x
Nzexmdiwnju4mdbambuxezarbgnvbamtcmfwcc5yawquy2mwggeima0gcsqgsib3
Dqebaquaa4ibdwawggekaoibaqdwmuoafcycc9kzad96xaeh/5auhx5a4u3m5dfl
There are 10,000 words omitted here ...... ..... ..... ..... ..... ..................... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ....... ....... .....................
Y8xojmdkrmnk427zkujhe7yzcsxqai7pqeii
-----END CERTIFICATE-----
[Fri 4 15:58:25 CST 2017] Your cert is In/root/.acme.sh/app.lhz.cc/app.lhz.cc.cer
[Fri 4 15:58:25 CST 2017] Your cert key is In/root/.acme.sh/app.lhz.cc/app.lhz.cc.key
[Fri 4 15:58:25 CST 2017] The intermediate CA cert is in/root/.acme.sh/app.lhz.cc/ca.cer
[Fri 4 15:58:25 CST 2017] And the full chain certs is there:/root/.acme.sh/app.lhz.cc/fullchain.cer
3. Install the certificate to the specified location in the Nginx configuration, after the command is completed, the following path file name will be recorded to facilitate automatic update of the certificate
acme.sh--installcert-d app.lhz.cc \
>--keypath/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key \
>--FULLCHAINPATH/USR/LOCAL/NGINX-1.8/CONF/SSL/APP_LHZ_CC.CRT \
>--reloadcmd "/usr/local/nginx-1.8/sbin/nginx-s Reload"
[Fri 4 16:31:40 CST 2017] Installing key To:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key
[Fri 4 16:31:40 CST 2017] Installing full chain TO:/USR/LOCAL/NGINX-1.8/CONF/SSL/APP_LHZ_CC.CRT
[Fri 4 16:31:40 CST 2017] Run Reload cmd:/usr/local/nginx-1.8/sbin/nginx-s reload
[Fri 4 16:31:40 CST 2017] Reload success
4. Generate Dhparam
OpenSSL DHPARAM-OUT/ROOT/.ACME.SH/APP.LHZ.CC/DHPARAM.PEM 2048
5. Configuration of the certificate in Nginx
server {
Listen 443;
server_name app.lhz.cc;
SSL on;
#配置生成的证书
SSL_CERTIFICATE/USR/LOCAL/NGINX-1.8/CONF/SSL/APP_LHZ_CC.CRT;
Ssl_certificate_key/usr/local/nginx-1.8/conf/ssl/app_rid_cc.key;
SSL_DHPARAM/USR/LOCAL/NGINX-1.8/CONF/SSL/DHPARAM.PEM;
Ssl_session_cache shared:ssl:10m;
Ssl_session_timeout 10m;
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:! RC4;
Ssl_prefer_server_ciphers on;
Error_page 497 "https://$host $uri? $args";
Location/{
Proxy_pass Http://app80_server_pool;
Proxy_set_header Host app.lhz.cc;
Proxy_set_header x-forwarded-for $remote _addr;
Proxy_set_header X-forwarded-proto HTTPS;
}
Access_log/var/log/nginx/app.log main;
}
This article is from "Shadow Knight" blog, please make sure to keep this source http://andylhz2009.blog.51cto.com/728703/1953665
Teach you how to apply for a free certificate at Let's encrypt---Open the HTTPS route of the website