Let’s encrypt : https://github.com/certbot/certbot
1 git clone https://github.com/certbot/certbot.git
修改python pip 源,解决卡在:
1 Installing Python packages...
在当前用户目录下建立 ~/.pip/pip.conf 文件。内容如下:
1 2 3 4 5 [global] index-url = http://mirrors.aliyun.com/pypi/simple/ [install] trusted-host=mirrors.aliyun.com
如果你使用官方脚本,将下列命令中的所有 certbot 替换为 ./certbot-auto 即可。
1 ./certbot-auto certonly --webroot -w /home/wwwroot/rails/xxx/public -d www.xxx.com
如果服务器配置正确,命令行参数也无误,那么就能成功完成,提示如下:
1 2 3 4 5 6 - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.xxx.com/fullchain.pem. Your cert will expire on 2017-04-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
提示信息告诉你证书存放在 /etc/letsencrypt/live/www.xxx 目录下,过期时间是 2017-04-06,最后还告诉你续期的方法是执行 certbot renew
openresty nginx.conf 配置:
1 2 3 4 5 6 7 8 9 10 listen 80; listen 443 ssl http2 reuseport; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ssl_certificate /etc/letsencrypt/live/www.xxx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.xxx.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;
##http 自动跳转 https
1 2 3 4 5 server { listen 80; server_name www.bnlt.org; return 301 https://$server_name $request_uri ; }
原作者:https://bnlt.org/zai-centos-6-he-nginx-zhong-bu-shu-lets-encrypt-de-ssl-zheng-shu/