安裝工具

yum install epel-release

wget https://dl.eff.org/certbot-auto --no-check-certificate

chmod +x certbot-auto

./certbot-auto -n

生成證書(shū)，定時(shí)任務(wù)

• 第一次生成證書(shū)

./certbot-auto certonly --email my@qq.com --agree-tos --no-eff-email --webroot -w /root/html/ -d www.pydict.com

上面命令中的/root/html/路徑表示nginx配置中的root目錄

如果有多個(gè)域名，命令后面繼續(xù)加 -d 參數(shù)就行

• 自動(dòng)更新證書(shū)

證書(shū)會(huì)有有效期，所以可以弄一個(gè)定時(shí)任務(wù)自動(dòng)更新證書(shū)

0 3 * * * /root/certbot-auto renew –disable-hook-validation –renew-hook “/usr/sbin/nginx -s reload”

這里表示每天凌晨3點(diǎn)更新一遍證書(shū)，如果證書(shū)沒(méi)有失效，不會(huì)起作用

/usr/sbin/nginx是nginx的實(shí)際路徑，可以用 which nginx 來(lái)定位位置

https配置

server {
    listen 443 ssl;
    server_name pydict.com;

    ssl_certificate /etc/letsencrypt/live/www.pydict.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.pydict.com/privkey.pem;

    ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    access_log  logs/access.log  main;

    gzip on;
    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png application/vnd.ms-fontobject  application/x-font-ttf  font/ttf     font/opentype font/x-woff  image/svg+xml;

    error_page  404 /404.html;
    error_page  500 502 503 504 /50x.html;

    client_max_body_size 75M;

    root    /root/html/otfsenter.github.io;
    location / {
        index index.html;
    }
}

http配置

server {
    listen  80;
    server_name pydict.com;

    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;

    charset utf-8;

    error_page  404 /404.html;
    error_page  500 502 503 504 /50x.html;

    client_max_body_size 75M;

    location / {
        return 301 https://www.pydict.com$request_uri;
    }
}

這個(gè)http的配置中，配置了一個(gè)301，這樣就算方位http也會(huì)重定向到https