$ ls ~yifei/notes/

如何使用 letsencrypt

Posted on:

Last modified:

letsencrypt 现在终于支持通配符证书了。

certbot 比较坑爹的一点是 renew 时候使用的是和创建证书相同的参数,而且不能更改,也就是最好在创建证书的时候就选择使用 webroot 的方式。

install certbot

see ~/.dotfiles/installs/install_certbot.sh

create new cert

sudo certbot certonly --webroot -w /opt/spider/nginx/html/ -d shujutuzi.com -d www.shujutuzi.com

sudo certbot certonly --standalone --agree-tos --email kongyifei@gmail.com --domain g.yifei.me --preferred-challenges http --non-interactive

the cert is placed at /etc/letsencrypt/live/shujutuzi.com/

there will be four certs:

  • cert.pem: server certificate only.
  • chain.pem: root and intermediate certificates only.
  • fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
  • privkey.pem: private key (do not share this with anyone!).

install the cert

https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8

auto renew

create a cron job to run renew peroidcally

cerbot renew --pre-hook "/opt/nginx/sbin/nginx -s stop" --post-hook "/opt/nginx/sbin/nginx -s start" --quiet

optionally, you could generate a Strong Diffie-Hellman Group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Third, change you defautl server settings:

server {
    listen 443 ssl;
    server_name example.com www.example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    // optional
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;
}

参考

  1. https://futurestud.io/tutorials/how-to-remove-pem-password-from-ssl-certificate
  2. https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
WeChat Qr Code

© 2016-2022 Yifei Kong. Powered by ynotes

All contents are under the CC-BY-NC-SA license, if not otherwise specified.

Opinions expressed here are solely my own and do not express the views or opinions of my employer.

友情链接: MySQL 教程站