Nodejs+Nginx+SSL(Letsencrypt)配置[菜鸟笔记]

Nginx预配置

server {
    listen               443 ssl; 
    server_name          example.com;
    server_tokens        off;#隐藏Nginx版本号

    # ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
    # ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;
    # ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    ssl_ciphers  EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:whatever-SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets on;
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS|PUT|DELETE|PATCH)$ ) {
        return           444;
    }

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root /usr/share/nginx/html;
    }

    location / {
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://127.0.0.1:3000; #修改为你的nodejs程序端口
    }
}

安装letsencrypt

sudo apt update
sudo apt install letsencrypt

安装certbot-auto

wget https://dl.eff.org/certbot-auto    # 获取certbot-auto 客户端  
sudo chmod a+x certbot-auto    #可执行权限
sudo mv certbot-auto /usr/local/bin/     #移动到这个目录方便全局调用 sudo certbot-auto [options]

生成加密证书

certbot-auto certonly -a webroot --webroot-path=/var/www/html -d exampe.com -d www.example.com
OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

如果遇到该错误,可以尝试已下两种方法,没有则跳过:
issues2883
issues46
出现下面内容,则表示生成成功

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example/fullchain.pem. Your cert
   will expire on 2017-02-15. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

再修改下Nginx配置

#再添加一个80端口server,并将它定向到https
server{
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name mou.io;
        return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl; 
    server_name example.com;
    server_tokens off;
    #已下三行刚才是注释状态
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    ssl_ciphers  EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:whatever-SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets on;
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root /usr/share/nginx/html;
    }

    location / {
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://127.0.0.1:3000; #修改为你的nodejs程序端口
    }
}

开启自动续期

sudo certbot renew --agree-tos --dry-run   // --agree-tos 表示同意默认  --dry-run 表示模拟  真实续签去掉 --dry-run 即
然后

ubuntu 14.X

certbot renew --quiet --no-self-upgrade

ubuntu 16.x

letsencrypt renew 

centos

certbot renew --quiet 

参考:

Joephon

你可能感兴趣的:(Nodejs+Nginx+SSL(Letsencrypt)配置[菜鸟笔记])