Let's Encrypt支持泛域名

申请的泛域名证书 *.yinhe.co 并不能用在主域名 yinhe.co上 ,所以必须申请两个证书。

1.申请泛域名证书

参考: https://blog.csdn.net/wc810267705/article/details/79917688

# certbot certonly  -d *.yinhe.co --email you@email --server https://acme-v02.api.letsencrypt.org/directory  --preferred-challenges dns --manual

申请证书过程中需要根据提示设置域名的: DNS TXT record

申请结果类似:

- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yinhe.co/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yinhe.co/privkey.pem
   Your cert will expire on 2021-01-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

2.申请主域名证书

# certbot certonly --standalone -d yinhe.co

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yinhe.co-0001/privkey.pem
   Your cert will expire on 2021-01-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

以下假设所有子域名都会跳转到主域名.

3.配置主域名

配置参考 https://www.cnblogs.com/peteremperor/p/9994713.html

3.1 创建密匙文件

openssl dhparam -out /etc/letsencrypt/live/dhparams.pem 2048

3.2配置说明

# 配置站点证书文件地址
    ssl_certificate      /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
    # 配置证书私钥
    ssl_certificate_key  /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;

    # 配置 Diffie-Hellman 交换算法文件地址
    ssl_dhparam          /etc/letsencrypt/live/dhparams.pem;

    # 配置服务器可使用的加密算法
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

    # 指定服务器密码算法在优先于客户端密码算法时,使用 SSLv3 和 TLS 协议
    ssl_prefer_server_ciphers  on;

    # ssl 版本 可用 SSLv2,SSLv3,TLSv1,TLSv1.1,TLSv1.2 
    # ie6 只支持 SSLv2,SSLv3 但是存在安全问题, 故不支持
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;

    # 配置 TLS 握手后生成的 session 缓存空间大小 1m 大约能存储 4000 个 session
    ssl_session_cache          shared:SSL:50m;
    # session 超时时间
    ssl_session_timeout        1d;

    # 负载均衡时使用 此处暂时关闭 详情见 https://imququ.com/post/optimize-tls-handshake.html 
    # 1.5.9 及以上支持
    ssl_session_tickets off;

    # 浏览器可能会在建立 TLS 连接时在线验证证书有效性,从而阻塞 TLS 握手,拖慢整体速度。OCSP stapling 是一种优化措施,服务端通过它可以在证书链中封装证书颁发机构的 OCSP(Online Certificate Status Protocol)响应,从而让浏览器跳过在线查询。服务端获取 OCSP 一方面更快(因为服务端一般有更好的网络环境),另一方面可以更好地缓存 以上内容来自 https://imququ.com/post/my-nginx-conf-for-wpo.html
    # 1.3.7 及以上支持
    ssl_stapling               on;
    ssl_stapling_verify        on;
    # 根证书 + 中间证书
    ssl_trusted_certificate    /etc/letsencrypt/live/yinhe.co-0001/chain.pem;

    # HSTS 可以告诉浏览器,在指定的 max-age 内,始终通过 HTTPS 访问该域名。即使用户自己输入 HTTP 的地址,或者点击了 HTTP 链接,浏览器也会在本地替换为 HTTPS 再发送请求 相关配置见 https://imququ.com/post/sth-about-switch-to-https.html
    add_header Strict-Transport-Security max-age=60;

    # 在此填写原本 http 协议中的配置
}

3.3纯净版配置

        #listen 80 default_server;
        #listen [::]:80 default_server;

        listen                  443 ssl http2;
        ssl                     on;
        ssl_certificate      /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
        ssl_dhparam          /etc/letsencrypt/live/dhparams.pem;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers  on;
        ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache          shared:SSL:50m;
        ssl_session_timeout        1d;
        ssl_session_tickets off;
        #ssl_stapling               on;
        ssl_stapling_verify        on;
        ssl_trusted_certificate    /etc/letsencrypt/live/yinhe.co-0001/chain.pem;
        add_header X-Frame-Options SAMEORIGIN;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;  

4.重定向设置

4.1 重定向子域名到主域名

# subdomains redirect
server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             *.yinhe.co;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/yinhe.co/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/yinhe.co/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co/chain.pem;
    return                  301 https://yinhe.co$request_uri;
}

4.2 重定向 http到https

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name .yinhe.co;
    # SSL
    ssl_certificate         /etc/letsencrypt/live/yinhe.co/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/yinhe.co/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co/chain.pem;


    location / {
        return 301 https://yinhe.co$request_uri;
    }
}

5. 重装nginx

5.1.卸载重装 nginx

cd ~
service nginx stop
apt-get --purge remove nginx*
apt autoremove
apt-get install nginx nginx-doc

5.2 清理证书

清理如下目录的相关文件: /etc/letsencrypt/

续订https证书

1.暂时停掉nginx

2.主域名续订:

certbot certonly --standalone -d yinhe.co 

3.泛域名续订

certbot certonly  -d *.yinhe.co --email your@emailr@email --server https://acme-v02.api.letsencrypt.org/directory  --preferred-challenges dns --manual

这里需要根据提示重新设置 dns的txt记录

4.重启nginx

最后修改:2021 年 01 月 07 日 10 : 00 AM
如果觉得我的文章对你有用,请随意赞赏