阿里云Ubuntu 14.04 + Nginx + let's encrypt 搭建https访问

用云旺的做IM,ios端图片地址只能是https的才能显示,所以为服务器增加证书

Let’s Encrypt是一个免费并且开源的CA,且已经获得Mozilla、微软等主要浏览器厂商的根授信

1. 下载let's encrypt

apt-get install python-software-properties
apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

2.生成密钥

certbot certonly --standalone -d XXX.com

出现下面代表成功

复制代码
root@iZ2zedq9lexkebewgjhhwzZ:/etc/letsencrypt# certbot certonly --standalone -d  51best.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for XXX.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/XXX.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/XXX.com/privkey.pem
   Your cert will expire on 2017-12-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
复制代码

默认是在 /etc/letsencrypt/live 路径下

3. 配置nginx

(1)方式一

listen 80 ;
listen       443 ssl;
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
listen [::]:443 ssl ipv6only=on;

(2)方式二

listen       443 ssl;
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
listen [::]:443 ssl ipv6only=on;

通过https访问,成功。

通过http访问,失败。错误:ERR_CONNECTION_REFUSED

重定向http访问到https

server {
        listen 80;
        server_name XXX.com;
        rewrite ^(.*) https://$server_name$1 permanent;
}

访问http,成功

4. 重启nginx

/etc/init.d/nginx restart

http://XXX.com和https://XXX.com都可以访问

5.续期

  Let’s Encrypt 生成的免费证书为3个月时间,使用 certbot renew 可以无限免费续签 Https 证书

先关闭nginx

/etc/init.d/nginx stop
certbot renew --dry-run 
certbot renew

重启nginx

/etc/init.d/nginx restart

 注:

  如果遇到 [error] open() "/run/nginx.pid" failed (2: No such file or directory)

nginx -c /etc/nginx/nginx.conf

 

posted @   慕尘  阅读(617)  评论(0编辑  收藏  举报
(评论功能已被禁用)
编辑推荐:
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
阅读排行:
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 【杭电多校比赛记录】2025“钉耙编程”中国大学生算法设计春季联赛(1)
历史上的今天:
2016-09-28 构建自己的 Linux 发行版
2015-09-28 Yii2.0 对数据库 查询的简单操作
点击右上角即可分享
微信分享提示