ngix使用lesencrpt

lesencrpt是一个免费的公认的ssl证书颁发机构，不过证书的吊销时间比较短，通常是几个月。虽然有效期比较短，不过由于是公认的，还是比较不错的。官网地址 https://letsencrypt.org 可以参考他的Getting Started。下面记录一下在nginx上配置https，以及如何使用lesencrypt。

首先从github上下载lesencrypt客户端

git clone https://github.com/letsencrypt/letsencrypt[/code] 
然后关闭nginx

sudo /srv/nginx/sbin/nginx -s quit


接下来执行lesencrypt客户端生成证书，主意使用sudo或者root用户

sudo /home/kid/lesencrypt/letsencrypt-auto certonly --standalone


这行客户端以后，lesencrypt会利用yum或apt自动安装一些依赖库，安装完成后会进入如下界面：



这里需要输入你的邮箱，用于找回证书。直接按回车进入下一步。



这里lesencrypt会告诉你他们的协议声明，直接按回车Agree。

接下来需要填写https保护的站点的域名，主意多个域名中间以空格分隔。



看到如下信息后证明生成成功：

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your
cert will expire on 2016-03-19. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate Donating to EFF:                    https://eff.org/donate-le[/code] 
好了，可以看到证书生成在/etc/lesencrypt下。但是这里需要主意，由于证书文件夹和文件是root权限的，nginx运行用户需要有权限进行读，使用setfacl设置权限：

setfacl -m u:nginx:r-x /etc/lesencrypt/live/example.com


最后编辑nginx的配置文件，在server块中，开启https：

listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;


启动nginx

sudo /srv/nginx/sbin/nginx


大功告成！