API tools faq
paste
Advertisement
cloudtuts

手動安裝Let's Encrypt

cloudtuts
Jun 19th, 2018
266
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.58 KB | None | 0 0
raw download clone embed print report
  1. #1.下載Let's encrypt
  2. sudo apt-get update
  3. sudo apt-get install git
  4. sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  5.  
  6. ----------------------------------------------------------------------------------------
  7.  
  8. #2. 申請證書 Root Domain (subdomain刪掉後面的-d www.$domain)
  9. #網站根目錄資料夾請按照實際狀況填寫
  10. read -p "Enter domain: " domain
  11. /opt/letsencrypt/letsencrypt-auto certonly --agree-tos --email 信箱@gmail.com --webroot -w /var/www/$domain/htdocs -d $domain -d www.$domain
  12.  
  13. ----------------------------------------------------------------------------------------
  14.  
  15. #3. 安裝證書
  16. #寫在 /etc/nginx/sites-available/域名.conf 或是 這個檔案裡頭有include的資料夾下自創新檔案
  17. #存擋後 nginx -t && service nginx reload
  18. #查詢設定:https://mozilla.github.io/server-side-tls/ssl-config-generator/
  19. #參考設定:
  20. listen 443 ssl http2;
  21. ssl on;
  22. ssl_certificate     /etc/letsencrypt/live/域名/fullchain.pem;
  23. ssl_certificate_key     /etc/letsencrypt/live/域名/privkey.pem;
  24.  
  25.     # intermediate configuration. tweak to your needs.
  26.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  27.     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  28.     ssl_prefer_server_ciphers on;
  29.  
  30.     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  31.     add_header Strict-Transport-Security max-age=15768000;
  32.  
  33.     # OCSP Stapling ---
  34.     # fetch OCSP records from URL in ssl_certificate and cache them
  35.     ssl_stapling on;
  36.     ssl_stapling_verify on;
  37.  
  38. ----------------------------------------------------------------------------------------
  39.  
  40. #4. http轉https
  41. #寫在 /etc/nginx/sites-available/域名.conf 檔案的最上面 或是 /etc/nginx/nginx.conf這個檔案裡頭有include的資料夾下自創新檔案,像是/etc/nginx/conf.d
  42. #存擋後 nginx -t && service nginx reload
  43. server {
  44.         listen 80;
  45.         server_name www.域名 域名;
  46.         return 301 https://域名$request_uri;
  47. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!