HTTPS

how to enable https

工具

acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书,并且自动更新。
安装在 /root/.acme.sh/,版本 2.6.5。

自己写的打包脚本:
/root/acme-issue.sh 用于生成证书。
/root/install-cert.sh 用于安装证书。

acme-issue.sh

#!/bin/sh

cd /root/.acme.sh && ./acme.sh \
    --issue -d $1 \
    -w /srv/www/verify/ \
    --keylength ec-256

install-cert.sh

#!/bin/sh

mkdir -p /etc/ssl/private/$1

cd /root/.acme.sh && ./acme.sh \
    --ecc \
    --installcert -d $1 \
    --certpath       /etc/ssl/private/$1/cert.pem \
    --keypath        /etc/ssl/private/$1/key.pem \
    --fullchainpath  /etc/ssl/private/$1/fullchain.pem \
    --reloadcmd      "service nginx force-reload"

步骤

零:切换到 root 身份

  1. sudo su -

一:新建 nginx sites-available 配置文件

  1. vim /etc/nginx/sites-avaliable/example.xdlinux.info
server {
    listen       80;
    server_name  example.xdlinux.info;

    access_log  /var/log/nginx/example-access.log main;
    error_log   /var/log/nginx/example-error.log warn;

    include snippets/verify.conf;            #定义了验证所需要的 location ^~ /.well-known/
    #include snippets/robots-allow-all.conf; #允许搜索引擎爬虫(根据需要选择)
    #include snippets/robots-deny-all.conf;  #禁止搜索引擎爬虫(根据需要选择)

    location / {
        return 301 https://$server_name$request_uri;
    }
}

二:启用 example.xdlinux.info

  1. ln -s ../sites-available/example.xdlinux.info /etc/nginx/sites-enabled/
  2. nginx -t (测试配置文件)
  3. service nginx force-reload

三:生成证书

  1. /root/acme-issue.sh example.xdlinux.info

四:给配置文件添加 HTTPS

  1. vim /etc/nginx/sites-avaliable/example.xdlinux.info
server {
    listen       443 ssl http2;
    server_name  example.xdlinux.info;

    access_log  /var/log/nginx/example-access.log main;
    error_log   /var/log/nginx/example-error.log warn;

    ssl_certificate /etc/ssl/private/example.xdlinux.info/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/example.xdlinux.info/key.pem;

    ssl_trusted_certificate /etc/ssl/private/chain.pem;

    include snippets/verify.conf;            #定义了验证所需要的 location ^~ /.well-known/
    #include snippets/robots-allow-all.conf; #允许搜索引擎爬虫(根据需要选择)
    #include snippets/robots-deny-all.conf;  #禁止搜索引擎爬虫(根据需要选择)

    location / {
        root /srv/www/example;
    }
}

五:安装证书

  1. /root/install-cert.sh example.xdlinux.info (自动 force-reload)