免费SSL安全证书Let's Encrypt SSL/TLS - FreeBSD NGINX 配置教程

Let's Encrypt是最近很火的一个免费SSL证书发行项目,Let's Encrypt是由ISRG提供的免费免费公益项目,自动化发行证书,但是证书只有90天的有效期。

本文主要介绍,如何申请 Let's Encrypt  证书,管理证书,自动续签证书及nginx的https的配置方法。
首先安装 certbot 管理工具,linux 下采用 yum 进行安装,这里不再复述,这里主要以 FreeBSD 系统为例。

建议在 FreeBSD 下采用ports方式编译安装

[root@freebsd:~]# cd /usr/ports/security/py-certbot && make install clean

安装完毕后执行以下命令生成证书,请将下面的邮箱更换成你的邮箱地址。

如果有多个域名 请在后面增加 -d youdomain.com 即可。

[root@freebsd:~] certbot certonly -m luffy@qi-cloud.com --agree-tos --webroot -w /usr/local/www/nginx -d qi-cloud.com -d www.qi-cloud.com

完成证书的生成后会提示如下信息

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /usr/local/etc/letsencrypt/live/gnustav.org/fullchain.pem. Your
   cert will expire on 2016-12-16. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书路径存放在以下位置,以你刚才提交的域名进行命名。

/usr/local/etc/letsencrypt/renewal/qi-cloud.com.conf
/usr/local/etc/letsencrypt/live/qi-cloud.com/

编译nginx配置文件 vi /usr/local/etc/nginx/nginx.conf

server
{
        listen  80;
        listen  443 ssl http2;
        server_name     qi-cloud.com;
        server_name     www.qi-cloud.com;

        #配置http访问的均跳转到https访问
        if ($scheme = http) {
                return   301 https://$host$request_uri;
        }

        #配置网站的根目录
        index   index.html index.htm index.php;
        root /usr/local/www/nginx;

        #配置https证书
        ssl_certificate     /usr/local/etc/letsencrypt/live/qi-cloud.com/fullchain.pem;
        ssl_certificate_key /usr/local/etc/letsencrypt/live/qi-cloud.com/privkey.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA";
        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve secp384r1;

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1440m;
        ssl_session_tickets on;

        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 10s;

        .........
}

Let’s Encrypt的证书只有几个月的有效期,下面到期可以重新刷新更新证书

[root@freebsd:~]# certbot renew --webroot -w /usr/local/www/nginx

当然你也可以设置 crontab 计划任务来每天刷新执行  每天早上5.00执行更新。

[root@freebsd:~]# crontab -e

0 5 * * * /usr/local/bin/certbot renew --webroot -w /usr/local/www/nginx

然后重新nginx服务

[root@freebsd:~]# service nginx restart

打开网站 https://www.qi-cloud.com 看到安全证书了