2018-12-29 使用Certbot为nginx申请免费的ssl证书

1、安装软件包并执行命令

yum install python2-certbot-nginx
certbot --nginx --nginx-server-root=/data/nginx/conf/ -d www.zhangdazhi.com  #指明配置文件的目录，并指明要申请证书的域名

2、查看配置文件,发现在对应域名的server语句块中会自动配置好https

listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.zhangdazhi.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.zhangdazhi.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
[root@hk conf]#openssl x509 -in /etc/letsencrypt/live/www.zhangdazhi.com/fullchain.pem -noout -text  #查看证书有效期发现为三个月
[root@hk conf]#vim /etc/letsencrypt/options-ssl-nginx.conf  #查看此文件中的内容
ssl_session_cache shared:le_nginx_SSL:1m;   #表示将https的握手缓存，缓存大小为1M，1M大约可以缓存4000个连接
ssl_session_timeout 1440m;  #表示在1440分钟内也就是一天的时间内，如果相同的连接断开后不用再次进行握手，可以复用之前的秘钥

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  #指明支持的ssl协议
ssl_prefer_server_ciphers on; #指明加密算法

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DH
E-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SH
A384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DE
S-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";