由于要同时为多个域名申请ssl证书,为了方便所以要关闭占用80端口的程序
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly
最后生成的证书在/etc/letsencrypt/live/yourdomain目录下
使用 openssl 工具生成 dhparams
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
最后是nginx配置文件修改,
ssl on;
ssl_certificate /etc/letsencrypt/live/lengxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lengxx.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS:!RC4;
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
add_header Strict-Transport-Security "max-age=31536000;";
这样在 https://www.ssllabs.com/ 测试成绩就应为A
2个月后续期
./letsencrypt-auto renew --email youremail@gmail.com --agree-tos
学习了