https://letsencrypt.org/getting-started/
First let's geting started to obtain a CA from Let's Encrypt.
sudo certbot certonly --standalone -w /home/errong_leng/local/nginx/ce
rts -d errong.win -d www.errong.win -d freevpn.errong.win -d blog.errong.win
You should replace with your own server domain name.
errong_leng@blogvpn:~/local/nginx/certs$ sudo certbot certonly --standalone -w /home/errong_leng/local/nginx/ce
rts -d errong.win -d www.errong.win -d freevpn.errong.win -d blog.errong.win
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for errong.win
tls-sni-01 challenge for www.errong.win
tls-sni-01 challenge for freevpn.errong.win
tls-sni-01 challenge for blog.errong.win
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/errong.win/fullchain.pem. Your cert will
expire on 2017-08-16. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
OK. Now we have our certificates.
errong_leng@blogvpn:~/local/nginx$ sudo ls -all /etc/letsencrypt/live/errong.win
total 12
drwxr-xr-x 2 root root 4096 May 18 03:39 .
drwx------ 3 root root 4096 May 18 03:39 ..
lrwxrwxrwx 1 root root 34 May 18 03:39 cert.pem -> ../../archive/errong.win/cert1.pem
lrwxrwxrwx 1 root root 35 May 18 03:39 chain.pem -> ../../archive/errong.win/chain1.pem
lrwxrwxrwx 1 root root 39 May 18 03:39 fullchain.pem -> ../../archive/errong.win/fullchain1.pem
lrwxrwxrwx 1 root root 37 May 18 03:39 privkey.pem -> ../../archive/errong.win/privkey1.pem
-rw-r--r-- 1 root root 543 May 18 03:39 README
errong_leng@blogvpn:~/local/nginx$ sudo cat /etc/letsencrypt/live/errong.win/README
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
Now, Let's config nginx with the new certificates.
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/errong.win/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/errong.win/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
listen 80;
server_name ~^(.+)?\.errong\.win$;
if ($host = errong.win) {
rewrite ^ http://www.errong.win permanent;
}
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root vhosts/$1;
index index.html index.htm;
}
}
Remember reload your nginx server
sudo sbin/nginx -s reload
As you can see, all websites have a safety security lock, the little green lock.
https://www.errong.win https://blog.errong.win https://freevpn.errong.win
No comments:
Post a Comment