申请范域名证书命令
使用certbot
可以免费申请范域名证书。使用试输入下面的命令,注意替换命令为自己的域名。
1
| sudo certbot certonly -d "*.example.com" -d example.com -m YOUR_EMAIL --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
|
申请单域名证书命令
也可以申请单域名证书,命令如下
1
| sudo certbot certonly --manual -m YOUR_EMAIL -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
|
Nginx
的配置
使用certbot
申请的证书会保存在/etc/letsencrypt/live/example.com/
下面,注意这里的是一个软连接,指向真正的证书
下面给出一个监听8080端口,转发到443端口并使用证书进行ssl加密的配置方案:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
| server { listen 443 ssl; server_name *.example.coml ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; client_max_body_size 50m; client_body_buffer_size 256k; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; proxy_connect_timeout 300s; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_buffer_size 64k; proxy_buffers 4 32k; proxy_busy_buffer_size 64k; proxy_temp_file_write_size 64k; proxy_ignore_client_abort on; location / { proxy_pass http://127.0.0.1:8080; proxy_redirect off; proxy_set_header Host $host:80; proxy_ssl_server_name on; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 80; server_name *.example.com; location / { proxy_pass http://127.0.0.1:8080; proxy_redirect off; proxy_set_header Host $host:80; proxy_ssl_server_name on; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
|
注意事项
每次重新更新了证书,都要重启nginx,使用命令
1
| sudo systemctl stop nginx
|
来先关闭服务,再用
1
| sudo systemctl start nginx
|
启动