差别
这里会显示出您选择的修订版和当前版本之间的差别。
| 两侧同时换到之前的修订记录 前一修订版 后一修订版 | 前一修订版 | ||
|
tech:web:https:certbot [2017/03/21 15:52:16] 某喵 |
tech:web:https:certbot [2018/05/10 16:04:54] (当前版本) |
||
|---|---|---|---|
| 行 1: | 行 1: | ||
| - | <markdown> | ||
| # 使用 certbot 为域名生成 https 证书(ubuntu14.04) | # 使用 certbot 为域名生成 https 证书(ubuntu14.04) | ||
| - | ## 步骤 | + | ## 生成证书 |
| 1.获取 certbot | 1.获取 certbot | ||
| 行 14: | 行 13: | ||
| ./certbot-auto | ./certbot-auto | ||
| ``` | ``` | ||
| - | </markdown> | ||
| 3.生成证书 | 3.生成证书 | ||
| ``` | ``` | ||
| ./certbot-auto certonly --standalone -d example.com -d www.example.com | ./certbot-auto certonly --standalone -d example.com -d www.example.com | ||
| + | ``` | ||
| + | |||
| + | ## Diffie-Hellman Group | ||
| + | |||
| + | ``` | ||
| + | sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | ||
| + | ``` | ||
| + | |||
| + | ## 配置 nginx | ||
| + | snippet 1 | ||
| + | ``` | ||
| + | listen 443 ssl; | ||
| + | |||
| + | server_name example.com www.example.com; | ||
| + | |||
| + | ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | ||
| + | ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | ||
| + | ``` | ||
| + | snippet 2 | ||
| + | ``` | ||
| + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| + | ssl_prefer_server_ciphers on; | ||
| + | ssl_dhparam /etc/ssl/certs/dhparam.pem; | ||
| + | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | ||
| + | ssl_session_timeout 1d; | ||
| + | ssl_session_cache shared:SSL:50m; | ||
| + | ssl_stapling on; | ||
| + | ssl_stapling_verify on; | ||
| + | add_header Strict-Transport-Security max-age=15768000; | ||
| + | ``` | ||
| + | snippet 3 | ||
| + | ``` | ||
| + | server { | ||
| + | listen 80; | ||
| + | server_name example.com www.example.com; | ||
| + | return 301 https://$host$request_uri; | ||
| + | } | ||
| + | ``` | ||
| + | |||
| + | ## Auto Renew | ||
| + | |||
| + | ``` | ||
| + | sudo crontab -e | ||
| + | ``` | ||
| + | 添加以下内容 | ||
| + | ``` | ||
| + | 10 1 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log | ||
| + | 20 1 * * 1 /etc/init.d/nginx reload | ||
| ``` | ``` | ||
| ## Ref | ## Ref | ||
| - | - https://certbot.eff.org/#ubuntutrusty-nginx | + | - [certbot 获取](https://certbot.eff.org/#ubuntutrusty-nginx) |
| + | - [nginx https 配置](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04) | ||
| + | - crontab 文件格式:分 时 日 月 星期 要运行的命令 | ||
| + | - 第1列分钟0~59 | ||
| + | - 第2列小时0~23(0表示子夜) | ||
| + | - 第3列日1~31 | ||
| + | - 第4列月1~12 | ||
| + | - 第5列星期0~7(0和7表示星期天) | ||
| + | - 第6列要运行的命令 | ||