配置免費的SSL證書

配置HTTPS（如果服務器已經安裝過這些可以直接從第二大不開始）
一、基本環境
1、安裝依賴 ##已經安裝的可以跳過
yum install openssl
yum install epel-release -y
2、生成2048位 DH parameters：
$ sudo openssl dhparam -out /etc/letsencrypt/live/dhparams.pem 2048
3、安裝cerbot工具
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto（賦予執行權限）
二、域名驗證
1、nginx配置文件 ##這裏最好是吧目錄改稱這樣的底層
location /.well-known/acme-challenge/ {
allow all;
}
2、生成證書，以下命令首次執行需要安裝一些依賴包
sudo /usr/sbin/certbot-auto certonly --webroot -w /home/wwwroot/www.qwwq.com/public -d www.qwwq.com,pgkid.com --email 自己的郵箱@163.com ## 這裏換上自己的目錄，域名和郵箱

第一次執行不建議自動確認參數 --agree-tos
3、如果使用apache，移除apache的干擾
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org
service httpd restart
4、修改配置nginx文件
加在listen:80下面一行。
if ($ scheme = http)
{
#return 301 https://$ server_name$ request_uri; (強制跳轉；複製的時 候注意$後面有空格要去掉)
}
listen 443 ssl http2;
#listen [::]:443 ssl http2;

location ~ /.well-known {
allow all;
}
##配置文件中只要是改這兩行
ssl_certificate /etc/letsencrypt/live/hs.123.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hs.123.com/privkey.pem;
##
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 20m;
ssl_dhparam /etc/letsencrypt/live/dhparams.pem; ## 這裏最好改成一樣的

5、nginx重新加載 nginx -s reload
6、打開防火牆端口 ## 可以不管
firewall-cmd --zone=public --add-port=443/tcp
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --list-all 查看效果

​
7、瀏覽器測試
8、證書自動更新

• • */5 * * /home/ssl/certbot-auto renew --quiet > /dev/null 2>&1 ; /usr/bin/nginx/ -s reload ##按着自己服務器的執行文件寫目錄

後面附整個的配置文件

server
    {
        listen 80;
        if ($scheme = http){
           return 301 https://$server_name$request_uri;
        }
        listen 443 ssl http2;

        server_name 配置的域名;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/項目根目錄;
		##tp必須加的轉寫
        if (!-e $request_filename) {
           rewrite  ^(.*)$  /index.php?s=$1  last;
           break;
        }
	
		##	SSL生成的兩個key
        ssl_certificate /etc/letsencrypt/live/zhao/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/zhao/privkey.pem;
        
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /etc/letsencrypt/live/dhparams.pem;

        include rewrite/other.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php-pathinfo.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }
##	日誌生成目錄
	access_log  /home/wwwlogs/zhao.log;

    }