用云旺的做IM，ios端圖片地址只能是https的才能顯示，所以為服務(wù)器增加證書

Let’s Encrypt是一個(gè)免費(fèi)并且開源的CA，且已經(jīng)獲得Mozilla、微軟等主要瀏覽器廠商的根授信

1. 下載let's encrypt

apt-get install python-software-properties apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot

2.生成密鑰

certbot certonly --standalone -d XXX.com

出現(xiàn)下面代表成功

root@iZ2zedq9lexkebewgjhhwzZ:/etc/letsencrypt# certbot certonly --standalone -d 51best.site Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for XXX.com Waiting for verification... Cleaning up challengesIMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/XXX.com/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/XXX.com/privkey.pemYour cert will expire on 2017-12-27. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew *all* of your certificates, run"certbot renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donateDonating to EFF: https://eff.org/donate-le

默認(rèn)是在 /etc/letsencrypt/live 路徑下

3. 配置nginx

（1）方式一

listen 80 ;
listen 443 ssl; ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; listen [::]:443 ssl ipv6only=on;

（2）方式二

listen 443 ssl; ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; listen [::]:443 ssl ipv6only=on;

通過https訪問，成功。

通過http訪問，失敗。錯(cuò)誤：ERR_CONNECTION_REFUSED

重定向http訪問到https

server {listen 80;server_name XXX.com;rewrite ^(.*) https://$server_name$1 permanent; }

訪問http，成功

4. 重啟nginx

/etc/init.d/nginx restart

http://XXX.com和https://XXX.com都可以訪問

5.續(xù)期

　　Let’s Encrypt 生成的免費(fèi)證書為3個(gè)月時(shí)間，使用 certbot renew 可以無限免費(fèi)續(xù)簽 Https 證書

先關(guān)閉nginx

/etc/init.d/nginx stop certbot renew --dry-run
certbot renew

重啟nginx

/etc/init.d/nginx restart

?注：

　　如果遇到?[error] open() "/run/nginx.pid" failed (2: No such file or directory)

nginx -c /etc/nginx/nginx.conf

?

總結(jié)

以上是生活随笔為你收集整理的阿里云Ubuntu 14.04 + Nginx + let's encrypt 搭建https访问的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。