Nginix开启SSL支持HTTPS访问(使用Let's Encrypt免费证书)(2)

yum install python-argparse

# CentOS 7
yum install -y git python27
yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse


4、安装开始，需要停掉nginx，因为需要用到80端口连接验证
#service nginx stop
#/opt/certbot-master/letsencrypt-auto --help

或者用指定域名和邮箱进行安装，省得设置
#/opt/certbot-master/letsencrypt-auto certonly --standalone -email 邮箱地址（邮箱地址是用来接收紧急通知和找回密钥的） -d 域名

执行上述命令后，会弹出对话框，同意用户协议，然后按文字提示操作下去就行了，支持多域名，只需要在用空格或者英文逗号分隔就好了。如果使用国内 VPS，此处可能会由于 DNS 问题出错，可以尝试更换 VPS 的 DNS 为第三方，比如 8.8.8.8。

运行完成之后，你会看到下面这个提示
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/bnxb.com/fullchain.pem. Your cert will
  expire on 2017-08-16. To obtain a new version of the certificate in
  the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Let's
  Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

命令完成后，最新版本的证书位置：/etc/letsencrypt/live/域名/
每个域名一个目录，有以下文件：
cert.pem 申请的服务器证书文件
privkey.pem 服务器证书对应的私钥
chain.pem 除服务器证书外，浏览器解析所需的其他全部证书，比如根证书和中间证书
fullchain.pem 包含服务器证书的全部证书链文件

nginx 中用到的是fullchain.pem 和 privkey.pem 其他为apache使用的证书。



5、启用更安全的加密方式
默认是 SHA-1 形式，而现在主流的方案应该都避免 SHA-1，为了确保更强的安全性，我们可以采取迪菲－赫尔曼密钥交换

#yum install openssl
#yum install openssl-devel
#openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048





完整配置

server {
        #nginx 监听端口，443为默认https端口，ssl指使用https
        listen 80 default backlog=2048;
        listen 443 ssl;
        # 服务器名称
        server_name bnxb.com;
        # https证书公钥
        ssl_certificate /etc/letsencrypt/live/bnxb.com/fullchain.pem;
        # https证书私钥 要注意保存！
        ssl_certificate_key /etc/letsencrypt/live/域名/privkey.pem;
        # 支持的加密协议
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        #nginx默认会使用Diffiel-Hellman交换密钥是1024位的，相对不安全，所以需要替换使用更安全的
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        # 支持的加密套件
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        # 定义session过期时间
        ssl_session_timeout 1d;