Let's Encrypt using the VPS configure SSL for Nginx

Before we have talked about how to siteOpen Full Site SSL Now we take a look at how the vps to Nginx open Let's Encrypt certificate and automatically update。

The contents of this article older,About letsencrypt configuration article,I wrote a new,Perhaps you can refer to a look:letsencrypt tool renamed certbot


Set the environment

First of all,We should prepare the installation environment,This time I am using CentOS 6.7 Final,If you are using Ubuntu ,It may be different in some way,But should be similar。First, we need to prepare the environment,Some of these already built in your vps,Some of you need to update,While others are not installed:

Other,You need to use to pip,If you did not pre-vps,Please refer toThis articleTo upgrade。

installation

Here we assume that you have configured Nginx ,Now we clone a Let's Encrypt package available from Github:

Now,Let's Encrypt us to access the directory at execution letsencrypt-auto Well let it complete the initialization。

Here you might encounter virtualenv : command not found. This error,Then you need to perform pip install virtualenv To install the missing packages,Then initialized。

Once the initialization is complete,We can certificate signed!

Use the built-in plug-in to obtain a certificate

Use built-ins WebRoot benefits of obtaining a certificate is that we can use directly Nginx HTTP service provided without the need to make a temporary shutdown Nginx good 80 port!

Edit the configuration file Nginx /usr/local/nginx/conf/nginx.conf ,Insert the following in the appropriate location inside:

The modified configuration file should look like this:

Remember to insert server Large internal braces。

Now you can restart Nginx: nginx -t && service nginx restart ,If an error,Description of your configuration file and not changing for the better。

Next, use the command to obtain a certificate,During the consent agreement and will ask you to enter a mailbox,Purpose is to restore and upgrade key for the future:

It is worth mentioning that,You need root privileges to perform。Other,Your domain name mustdirectPoint your vps address,If you use something like CDN acceleration DNS,Cancel the job needs,Because they will hide your real IP server。

Upon successful completion of,You should be able at /etc/letsencrypt/live/your_domain_name This directory to find the certificate you!

Then execute the following command to generate Diffie - Hellman key To enhance security:

After a lengthy wait is to configure Nginx use the SSL。

Nginx configuration of SSL

In short,Find the corresponding site's configuration file in your Nginx configuration directory website,You will find that they are only about 80 Listening port,We first get rid of it:

So let Nginx met automatically forwarded to HTTPS when HTTP access。

Then we add 443 Port Listener,This configuration file in the same top row to start:

Note that this should example.with Change for your domain,Then root /usr/share/nginx/html; This line exchange for your Web Directory。

Now,Restart your Nginx again nginx -t && service nginx restart Then try to open the page with a browser to test the results of it:https://www.ssllabs.com/ssltest/analyze.html?d=www.logcg.com

Do not worry,There renewal

Since Let's Encrypt is issued free of charge,for safety,It provides only a three-month validity - the government has also encouraged the use of automated configuration to complete renewal,In short,you can use ./letsencrypt-auto renew Manually complete renewal,Or you can use your own Linux Task Scheduler function。

If you do not find the commands appear in the implementation of this order,Then use the following command to install it:

In short,Write the following in the open file:

Add the task to perform updates certificate at half past three every Monday,This will ensure that your certificate will always be the latest。

Original article written by Gerber drop-off:R0uter's Blog » Let's Encrypt using the VPS configure SSL for Nginx

Reproduced Please keep the source and description link:https://www.logcg.com/archives/1709.html

Published by R0uter's Blog

The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。

Join the Conversation

26 Comments

Your email address will not be published. Required fields are marked *

          1. what,Thanks ~ this is also good with a temporary。I did a renewal of scheduled tasks automatically check weekly,And currently there is no pan-domain requirements,Any future find you slightly ~ XD

      1. I am also a standalone,However, it temporarily shut down web server。
        If you use a CDN words,In fact, I do not know that is how I configured certificate (also used on the server's self-signed certificate instead) ......
        Just go to the next test cf,Open Development Mode and Pause website can not do

          1. I used to use cf,Later node is a large wall would not have。Later cf and domestic Baidu or who collaborated,Then international edition seems to have abandoned me to die。Anyway, now I'm fast enough,Directly run just fine

          2. cf domestic and Baidu cooperation,Called "Baidu cloud acceleration",Your server in Hong Kong will inevitably Kuaia ~ In fact, I think,Or I resolved back to the mainland trip。Because I did not get me the domain name resolves to the record on the Tencent cloud。。