nginx 使用免费https

转发自小众软件这片文章： http://www.appinn.com/use-letsencrypt-with-nginx/

安装

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

配置

1. 关闭nginx并开启防火墙80 和 443端口，避免申请证书时端口占用。

2. 配置
   

server {
    listen       80;
    server_name  www.test.com;
    root   html;
    return 301 https://$host$request_uri;

    location / {
        index  index.html index.php;
        if (!-e $request_filename) {
           rewrite  ^/(.*)$  /index.php/$1  last;
           break;
        }
    }
}
server {
    listen 443 ssl;
    server_name www.test.com;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location ~ /.well-known {
        allow all;
    }
}

证书续签

    1.修改配置文件

cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.in

编辑该文件：
rsa-key-size = 4096
email = [email protected]
domains = www.test.com
webroot-path = /usr/share/nginx/html //这个路径之后脚本会用到

    2. 下载脚本并设置权限：

curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
chmod +x /usr/local/sbin/le-renew-webroot

    脚本会先检测证书日期，如果没到期不会去服务端申请延期。