安装过程:
环境: centos7, openresty
使用certbot 生成证书
yum install epel-release -y && yum update -y
yum install -y openresty certbot gettext
- 设置
openresty/nginx 80 端口
server {
listen 80;
server_name _;
location ^~ /.well-known/acme-challenge/ {
index index.html index.htm;
root html;
}
location = /.well-known/acme-challenge/ {
return 404;
}
}
- 重启
nginx/openresty, 执行
certbot certonly -m ${自己的邮箱} --webroot -d ${域名} -w ${ngx www 路径目录} --agree-tos > /tmp/cert.log
openssl dhparam 2048 -out dhparam.pem
- 生成证书后, 设置
nginx配置
ssl_certificate /etc/letsencrypt/live/${域名}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${域名}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${域名}/chain.pem;
ssl_dhparam ${dhparam.pem 所在的路径};
add_header X-Frame-Options DENY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
ssl_prefer_server_ciphers on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
使用 certbot-nginx 生成配置
RUN yum install epel-release -y && yum update -y
RUN yum install -y openresty certbot-nginx
- 在
$PATH 环境变量中设置好 nginx 执行路径, 在nginx.conf设置相关的域名
server {
listen xxx;
server_name ${域名};
...
}
certbot --nginx -d ${域名} -m ${邮箱} --nginx-server-root=${nginx.conf 文件所在路径} --agree-tos
