证书申请
这里以阿里云Symantec证书为例
申请通配符域名证书
在xxx.cn 中配置location如下:
完整配置参考:
server {
listen 443 ssl;
server_name xxx.cn;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
set $mobile_rewrite do_not_perform;
if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino") {
set $mobile_rewrite perform;
}
location / {
if ($mobile_rewrite = perform) {
root /usr/local/nginx/m/mobile;
}
if ($mobile_rewrite = do_not_perform) {
root html;
}
}
location /.well-known/pki-validation/fileauth.txt {
root /usr/local/nginx/html;
}
}
把验证文件fileauth.txt上传到服务器上一步配置的目录中,本例的具体目录是:
/usr/local/nginx/html/.well-known/pki-validation
E:\wy>scp fileauth.txt root@ip:/usr/local/nginx/html/.well-known/pki-validation
root@ip's password:
fileauth.txt 100% 64 1.7KB/s 00:00
E:\wy>
查看文件:
[root@izwz96u1ukkfo2k pki-validation]# ll
total 4
-rw-r--r-- 1 root root 64 Feb 18 11:00 fileauth.txt
[root@izwz96u1ukkfo2k pki-validation]# pwd
/usr/local/nginx/html/.well-known/pki-validation
[root@izwz96u1ukkfo2k pki-validation]#
完成后重启nginx
[root@izwz96u1ukkfo2k conf]# ../sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@izwz96u1ukkfo2k conf]# ../sbin/nginx -s reload
然后验证,通过后提交。
坐等审核
下载并部署证书
审核通过后,下载证书,并选择nginx
上传证书到服务器
E:\wy\ssl\3472164__xxx.cn_nginx>scp 3472164__xxx.cn.* root@ip:/usr/local/nginx/conf/ssl/www.xxx.cn
root@ip's password:
3472164__xxx.cn.key 100% 1679 39.0KB/s 00:00
3472164__xxx.cn.pem 100% 3671 61.1KB/s 00:00
E:\wy\ssl\3472164__xxx.cn_nginx>
配置nginx配置文件
server {
listen 80;
server_name www.xxx.cn xxx.cn;
return 301 https://$server_name$request_uri;
set $mobile_rewrite do_not_perform;
if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino") {
set $mobile_rewrite perform;
}
location / {
if ($mobile_rewrite = perform) {
root /usr/local/nginx/m/mobile;
}
if ($mobile_rewrite = do_not_perform) {
root html;
}
}
location /.well-known/pki-validation/fileauth.txt {
root /usr/local/nginx/html;
}
location = /50x.html {
root html;
}
error_page 500 502 503 504 /50x.html;
}
server {
listen 443 ssl;
server_name www.xxx.cn;
ssl_session_cache shared:SSL:1m;
ssl_certificate ./ssl/www.xxx.cn/3472164__xxx.cn.pem;
ssl_certificate_key ./ssl/www.xxx.cn/3472164__xxx.cn.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
set $mobile_rewrite do_not_perform;
if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino") {
set $mobile_rewrite perform;
}
location / {
if ($mobile_rewrite = perform) {
root /usr/local/nginx/m/mobile;
}
if ($mobile_rewrite = do_not_perform) {
root html;
}
}
}
安装完成并验证:
部署前:
部署后
