最近想为自己的网站添加HTTPS安全链接,用了免费易用且开源的Certbot

准备工作

Namecheap 域名(xiaobailong24.com)
VPS 主机(Nginx & Ubuntu 16.04 LTS)
Cenrtbot 官网( https://certbot.eff.org

安装 Certbot

在 VPS 安装 letsencrypt:

sudo apt-get install letsencrypt

用 Certbot 生成证书

使用命令:

sudo letsencrypt certonly

选择证书生成方式

选择第一项 webroot

certbot_1
certbot_1

输入联系邮箱

此处输入自己的联系邮箱,注意我输错了,所有有第二个界面提示重新输入:

certbot_2
certbot_2

certbot_3
certbot_3

同意服务条款

直接同意:

certbot_4
certbot_4

输入域名

输入自己的要加密的域名:

certbot_5
certbot_5

选择此域名的网站根目录

选择第一项Enter a new webroot,然后在弹出的对话框中选择网站根目录:

certbot_6
certbot_6

certbot_7
certbot_7

生成证书

接下来是自动生成证书:

certbot_8
certbot_8

生成成功

如果成功生成证书,会有以下提示:

certbot_9
certbot_9

Generate Strong Diffie-Hellman Group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

配置Nginx

修改网站的 Nginx 配置文件:

sudo vim /etc/nginx/sites-available/default

添加location

server内添加以下内容:

server {
        . . .
        location ~ /.well-known {
                allow all;
        }
        . . .
}

删除原监听端口

server内删除以下内容:

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

添加 ssl 监听端口

server内添加以下内容:

listen 443 ssl;

server_name xiaobailong24.com;

ssl_certificate /etc/letsencrypt/live/xiaobailong24.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xiaobailong24.com/privkey.pem;

添加 ssl 协议

server内添加以下内容:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers                   'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

设置 HTTP 转 HTTPS

添加新的server块,将 HTTP 链接自动转到 HTTPS:

server {
    listen 80;
    server_name xiaobailong24.com;
    return 301 https://$host$request_uri;
}

设置自动延期证书

sudo crontab -e

添加以下内容:

* 00 * * * certbot renew --quiet
* 01 * * * certbot renew --quiet

重启crond

sudo service cron restart    (Ubuntu)
sudo service crond restart       (Centos)

参考文章

  1. How To Secure Nginx with Let’s Encrypt on Ubuntu 14.04
  2. 官方文档