在CentOS上Let's Encrypt免费SSL证书安装配置Nginx站点
Let’sEncrypt简介
通过提供免费的数字认证,Let’sEncrypt 项目鼓励更多网站采用加密连接。该项目由互联网安全研究集团(ISRG)负责,除 Mozilla 之外,参与 ISRG 这一项目的其他公司还包括思科、Akamai、电子前线基金会和 IdenTrust。该组织还在网站上列出了一些赞助商,包括 Chrome 和 Facebook。自其2012年推出,去年12月份进入公开测试阶段,已经为380万域名提供了免费的安 全防护措施,Let's Encrypt向广大的网站提供免费SSL证书,不管是对于网站站长、互联网用户,还是对整个Web互联网,都是非常有利的,它有利于整个互联网的安全。
HTTPS的必要性
- HTTPS在客户端和服务器之间传输加密内容,即使被窃听,也极难解密;而HTTP明文传输,攻击者很容易窃听。
- 防止被劫持,天朝的运营商劫持、挂广告还是比较猖獗的,普及HTTPS非常必要的。
HTTPS不能保证绝对的安全,但能极大地提高攻击/劫持的门槛和代价。
自从DNSpod 可以通过 Lets Encrypt 的验证之后,作者立马也安装上该证书了。
首先说明下安装服务器环境:
- CentOS 6.7
- Nginx1.8 + PHP5.6.21 + MySQL5.5.45
安装步骤
1、安装Git、BC、EPEL
yum -y install git bc epel-release
2、下载Let’s Encrypt
git clone https://github.com/letsencrypt/letsencrypt
mv letsencrypt /opt
letsencrypt被安装到/opt/letsencrypt/目录
3、以Diffie-Hellman(迪菲-郝尔曼)生成密钥
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
4、申请Let’s Encrypt认证,注意修改如下选项
--email 是申请者的使用邮箱地址
-d 是申请的域名
--webroot 是网站根目录
mkdir -p /var/www/www.lezhzihe.net/.well-known/acme-challenge
cd /opt/letsencrypt
./letsencrypt-auto certonly --email lezhizhe_net@163.com -d "www.lezhizhe.net" --webroot -w /var/www/www.lezhizhe.net/ --agree-tos
成功后会产生三个文件,分别是
/etc/ssl/certs/dhparam.pem
/etc/letsencrypt/live/www.lezhizhe.net/fullchain.pem
/etc/letsencrypt/live/www.lezhizhe.net/privkey.pem
5、修改Nginx站点配置
修改站点配置文件如下:
listen 443 ssl;
server_name www.lezhizhe.net;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/www.lezhizhe.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.lezhizhe.net/privkey.pem;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
- 修改后检测配置是否正确:
nginx -t
- 重新加载Nginx配置
nginx -s reload
- 访问站点检查是否可以正常https方式打开, 如果开启防火墙需要开放443端口!
6、自动更新SSL证书设置
因为Let’s Encrypt的证书有效期是3个月,需要设置定时任务每个月更新一次证书。注意修改该脚本下的邮箱地址、域名he网站根目录。
mkdir -p /etc/letsencrypt/configs
cat >> /etc/letsencrypt/configs/www.lezhizhe.net.conf <<EOF
domains = www.lezhizhe.net
rsa-key-size = 2048
server = https://acme-v01.api.letsencrypt.org/directory
email = lezhizhe_net@163.com
text = True
authenticator = root
webroot-path = /var/www/www.lezhizhe.net/
EOF
自动更新shell脚本如下:
renew-letsencrypt.sh
#!/bin/sh
cd /opt/letsencrypt/
./letsencrypt-auto certonly --config /etc/letsencrypt/configs/www.lezhizhe.net.conf --agree-tos
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
$ERRORLOG
else
nginx -s reload
fi
exit 0
修改为可执行权限
chmod +x /root/renew-letsencrypt.sh
crontab -e
@monthly cd /opt/letsencrypt && git pull
@monthly /root/renew-letsencrypt.sh