Nginx配置HTTPS证书

[chenshenhai]

注意: 本文章是生成 Let's Encrypt 免费HTTPS证书，有效期3个月，需要有域名的所有权，有一台线上服务器。

生成HTTPS证书

创建帐号

在服务器中建一个目录

mkdir my_ssl

cd my_ssl

openssl genrsa 4096 > account.key

创建 CSR 文件

openssl genrsa 4096 > domain.key

openssl req -new -sha256 -key domain.key -out domain.csr

后续过程要输入 域名信息

配置 Nginx 验证服务

server {
    server_name  example.com;

    location ^~ /.well-known/acme-challenge/ {
        alias /home/xxx/www/my-ssl/;
        try_files $uri =404;
    }

    location / {
        rewrite ^/(.*)$ https://yoursite.com/$1 permanent;
    }
}

获取网站证书

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

结合中间证书和网站证书

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem --no-check-certificate

cat signed.crt intermediate.pem > chained.pem

结合根证书和中间证书

wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem --no-check-certificate

cat intermediate.pem root.pem > full_chained.pem

配置Nginx

server {
        listen       443 ssl;
        server_name  example.com;

        ssl_certificate     ~/www/my-ssl/chained.pem;
        ssl_certificate_key ~/www/my-ssl/domain.key;

        location / {
            proxy_pass      http:/example.com;
        }
    }

[chenshenhai]

/xxx/nginx/sbin/nginx -c /xxx/nginx/conf/nginx.conf

/xxx/nginx/sbin/nginx -s stop

[chenshenhai]

user root;
worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    server {
        listen  80;
        server_name   example.com www.example.com;
        location / {
            proxy_pass      http://127.0.0.1:8080;
        }
        location ^~ /.well-known/acme-challenge/ {
            alias ~/example.com/ssl/;
            try_files $uri =404;
        }
    }

    server {
        listen       6001;
        server_name  localhost;

        location / {
            root  ~/example.com/web/; 
            index index.html;
        }
    }

    server {
        listen       443 ssl;
        server_name  example.com;

        ssl_certificate     ~/example.com/ssl/chained.pem;
        ssl_certificate_key ~/example.com/ssl/domain.key;

        location / {
            proxy_pass      http://example.com;
        }
    }


}