您的位置:首页 > 其它

Lets Encrypt 最近很火的免费SSL 使用教程

2016-03-28 14:22 375 查看
2015年10月份,微博上偶然看到Let’s Encrypt 推出了beta版,作为一个曾经被https虐出血的码农来说,这无疑是一个重磅消息。并且在全站Https的大趋势下,Let’s Encrypt 脱颖而出,无疑会对传统SSL证书提供商造成不小的打击,并将Https的应用和推广上升到一个空前火热的阶段。

Let’s Encrypt是由ISRG(Internet Security Research Group)提供的免费SSL项目,现由Linux基金会托管,他的来头很大,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,现在已经得到Google、Facebook等大公司的支持和赞助,目的就是向网站免费签发和管理证书,并且通过其自身的自动化过程,消除了购买、安装证书的复杂性,只需几行命令,就可以完成证书的生成并投入使用,甚至十几分钟就可以让自己的http站点华丽转变成Https站点。

下面从实战的角度,为大家详细地介绍Let’s Encrypt的使用过程

安装Let’s Encrypt

1.登录linux服务器

git clone https://github.com/letsencrypt/letsencrypt[/code] 
提示:

1)、如果提示git命令无效的话,需要安装一下GIt,直接执行命令 yum install git-all 完成安装

2)、如果是RedHat/CentOs6系统的话,需要提前安装EPEL(Extra Packages for Enterprise Linux),执行命令  yum install epel-release

3)、 整个过程需要主机连接外网,否则会导致报以下错误
IMPORTANT NOTES:

- The following errors were reported by the server:

Domain: on-img.com

Type:   urn:acme:error:connection

Detail: Failed to connect to host for DVSNI challenge

Domain: www.on-img.com

Type:   urn:acme:error:connection

Detail: Failed to connect to host for DVSNI challe


提示:需要关闭防火墙。执行命令:
service iptables stop


2.下载完成之后,执行 
ls
 命令会看到当前目录下多了一个
letsencrypt
目录, 进入这个目录:

cd letsencrypt


3.准备安装,执行如下命令:

./letsencrypt-auto


接下来提示输入域名 多个用空格隔开





Congratulations!说明证书生成OK。

证书保存路径: 
/etc/letsencrypt/live/on-img.com/
下,on-img.com换成自己的域名即可。

第二阶段:使用证书

apache下,修改
ssl.conf
文件

<VirtualHost _default_s:443>
DocumentRoot "/var/www/html"
ServerName www.yourdomains.com:443
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/factorydirectsale.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/factorydirectsale.de/privkey.pem
</VirtualHost>


重点是指定2个地址。然后重启apache。

另:

还可以用另外的方式生成证书:

./letsencrypt-auto certonly --email 邮箱 -d 域名 --webroot -w /网站目录完整路径 --agree-tos


如果多个域名可以加多个-d 域名,注意替换上面的邮箱、域名和网站目录,注意这里的网站目录完整路径只是你单纯的网站目录也就是虚拟主机配置文件里的,如Nginx虚拟主机配置里的root,Apache虚拟主机配置里的DocumentRoot。

更多可以查看:http://www.vpser.net/build/letsencrypt-free-ssl.html

nginx如何配置?

nginx.conf

user  nginx;
worker_processes  2;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
worker_connections  1024;
}

http {

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;

include       /etc/nginx/mime.types;
default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#Compression Settings
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_proxied any;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Some version of IE 6 don't handle compression well on some mime-types,
# so just disable for them
gzip_disable "MSIE [1-6].(?!.*SV1)";
# Set a vary header so downstream proxies don't send cached gzipped
# content to IE6
gzip_vary on;
#end gzip

include /etc/nginx/conf.d/*.conf;

server {
listen  80;
listen  443 ssl;
server_name www.kitchenunion.com;
index index.html index.htm index.php;
root  /var/www/html;

ssl on;
ssl_certificate /etc/letsencrypt/live/www.kitchenunion.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.kitchenunion.com/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

if (!-e $request_filename) {
rewrite  ^(.*)$  /index.php?s=$1  last;
}

location ~ \.php(.*)$  {
fastcgi_pass   127.0.0.1:9000;
fastcgi_index  index.php;
fastcgi_split_path_info  ^((?U).+\.php)(/?.+)$;
fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
fastcgi_param  PATH_INFO  $fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED  $document_root$fastcgi_path_info;
include        fastcgi_params;
}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires      30d;
}

location ~ .*\.(js|css)?$
{
expires      1h;
}
}
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航