certbot安装https证书

 

1. 获取certbot客户端

   wget https://dl.eff.org/certbot-auto
   chmod a+x certbot-auto

    

2. 停止nginx服务器

   service nginx stop

    

3. 获取证书

   #--email [email protected]是通知邮箱,如果过期提醒等,-d m.xx.com是申请https证书的域名,xx.com是一级域名
   ./certbot-auto certonly --standalone --email [email protected] --agree-tos -d m.xx.com

    

4. 配置nginx ssl服务

   server {
       listen  443 ssl;
       server_name m.xx.com;
       ssl_certificate /etc/letsencrypt/live/m.xx.com/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/m.xx.com/privkey.pem;
       ssl_session_cache  builtin:1000  shared:SSL:10m;
     	ssl_session_timeout  5m;
     	ssl_session_tickets off;
     	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     	ssl_prefer_server_ciphers on;
     	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
       charset utf-8;
     	gzip_types text/css application/javascript;
     	error_log  /var/log/nginx/m.xx.com.error.log error;
     	client_max_body_size 30m;
       	
       location / {
           
       }
   }
   server {
       listen  80;
       server_name m.xx.com;
       location / {
       
       }
       #如果需要把http强制转换为https，需要配置以下内容
       if ( $host = m.xx.com ) {
           return 301 https://$host$request_uri;
       }
   }

    

5. netty配置长连接

   server {
       listen 443 ssl;
    		server_name netty.xx.com;
    		ssl_certificate  /etc/letsencrypt/live/netty.xx.com/fullchain.pem;
       ssl_certificate_key  /etc/letsencrypt/live/netty.xx.com/privkey.pem;
    		ssl_session_cache  builtin:1000  shared:SSL:10m;
   	  ssl_session_timeout  5m;
   	  ssl_session_tickets off;
   	  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       charset utf-8;
   	  gzip_types text/css application/javascript;
   	  error_log  /var/log/nginx/netty.xx.com.error.log error;
   	  client_max_body_size 30m;
   	
       location ^~ /netty/ {
        		proxy_pass http://127.0.0.1:9090$request_uri;
        		proxy_set_header Host $http_host;
        		proxy_set_header X-Real-IP $remote_addr;
        		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        		proxy_set_header X-Forwarded-Proto $scheme;
        		proxy_http_version 1.1;
        		proxy_set_header Upgrade $http_upgrade;
        		proxy_set_header Connection $http_connection;	       
        		proxy_connect_timeout 60s; 
        		proxy_read_timeout 2000s;
        		proxy_send_timeout 60s;
       }
   }

    

6. 启动nginx服务器

   service nginx start

    

7. 查看所有证书

   certbot-auto certificates

    

8. 更新所有证书

   certbot-auto renew

    

9. 撤销指定证书

   ./certbot-auto revoke --cert-path /etc/letsencrypt/live/m.xx.com/cert.pem