官网: https://certbot.eff.org/
安装教程:https://certbot.eff.org/#centos6-nginx
下载
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
生成证书
./certbot-auto certonly --nginx --email [email protected] --webroot -w /data/vhosts/xttan.com/wordpress -d www.xttan.com
自动更新
## 手动
./path/to/certbot-auto renew
## crontab
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /home/tanda/cronb/certbot-auto renew
配置
1.首先开启 ssl
listen 443 ssl;
server_name www.example.com;
ssl on;
ssl_certificate /etc/ssl/certs/xttan.crt;
ssl_certificate_key /etc/ssl/private/xttan.key;
其中 xttan.crt 是网站证书,xttan.key 是证书私钥
2.生成 dhparam.pem
cd /etc/letsencrypt/
openssl dhparam -out dhparam.pem 4096
##### 配置到nginx
ssl_dhparam /etc/ssl/certs/dhparam.pem;
协议和 ciphers 选择,ciphers 的选择比较关键,这个配置中的 ciphers 支持大多数浏览器,但不支持 XP/IE6 。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
3.ssl session 配置
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
4.HSTS 配置
这个对评分影响也比较大,但如果开启这个,需要全站开启 HTTPS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
server {
listen 443 ssl;
ssl on;
ssl_certificate /usr/local/nginx/cert/xttan.crt;
ssl_certificate_key /usr/local/nginx/cert/xttan.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
## ciphers 的选择
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
## session 配置
ssl_session_cache shared:SSL1:20m;
ssl_session_timeout 60m;
## HSTS 配置
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
location / {
# pass
}
}