背景说明

现在所有建站对外提供服务都要ssl，ssl可以说是基本的了。不过现在大部分到ssl都要钱。感谢免费提供ssl服务。

环境要求

我这边是刚买的aliyun ecs，最便宜到那种。600块5年。

使用了一键安装LNMP进行安装。然后就是安装ssl申请程序。

安装依赖

# cd /root/
# wget https://dl.eff.org/certbot-auto --no-check-certificate
# chmod +x ./certbot-auto
# ./certbot-auto -n

生成证书

注意将里面到-w后续目录换成自己到目录，-d后面换成自己到域名。

# ./certbot-auto certonly --email q5276@126.com --agree-tos --no-eff-email --webroot -w /home/wwwroot/default/ -d www.tingno.com -d tingno.com

后续会生成一大片内容之后就成功了。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.tingno.com
Using the webroot path /home/wwwroot/default for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.tingno.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.tingno.com/privkey.pem
   Your cert will expire on 2021-02-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

生成到证书文件会保存在 /etc/letsencrypt/live/www.tingno.com/下面，有2个.pom格式文件。

配置nginx

找到nginx到配置文件，默认到位置是 /usr/local/nginx/conf/nginx.conf， 你也可以直接下载下来手动配置下，再传上去。

在里面到server再加上一个下面到内容，域名换成自己的。

server
    {
        listen 443 ssl http2;  # 注意这一行换了服务
        #listen [::]:443 ssl http2;  #注意这一行换了服务
        server_name tingno.com www.tingno.com;
        index index.html index.htm index.php;
        root  /home/wwwroot/default;

        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;
        
        ssl_certificate /etc/letsencrypt/live/www.tingno.com/fullchain.pem;    #前面生成的证书，改一下里面的域名就行
        ssl_certificate_key /etc/letsencrypt/live/www.tingno.com/privkey.pem;   #前面生成的密钥，改一下里面的域名就行
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;

        location /nginx_status
        {
            stub_status on;
            access_log   off;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/access.log;
    }

然后重启下nginx服务器，就ok了

# /usr/local/nginx/sbin/nginx -s reload

有个问题，就是这个证书有效期呢，只有90天。建议使用 crontab跑个自动任务，自动续期限。每个月一次好了。

$ crontab -e
0 0 1 * * /root/certbot-auto renew --disable-hook-validation --renew-hook "/usr/local/nginx/sbin/nginx -s reload"

至此结束