If your site has a strong need for HTTPS — for security reasons or for wechat applications (which require HTTPS), but you don’t want to spend thousands of dollars a year on a paid SSL certificate, then using Let’s Encrypt’s free SSL certificate might be a great choice. Here’s how to install Let’s Encrypt and configure Nginx to automatically renew for free.

First, preparation

Before installation, you need to open port 443

Firewall -cmd --zone=public --list-ports #80/ TCP 3306/ TCP Firewall -cmd --zone=public --add-port=443/ TCP --permanent Firewall -cmd --zone=public --list-ports #80/ TCP 3306/ TCP 443/ TCPCopy the code

Two, installation and configuration

1. Install the Cerbot. Cerbot is the recommended admin client for Let’s Encrypt and can be automatically renewed

yum install certbot -y
Copy the code

2. Generate a certificate

2.1 do not know their own site root directory when this generation

| | | | | | | | | | | | | | certbot certonly --standalone -d domain.com -d www.domian.comCopy the code

2.2 This is generated when the root directory of the website is known

/var/ WWW /domain certbot certonly --webroot -w /var/www/domain -d domain.com -d www.domain.comCopy the code

The certificate will be generated and will be stored in the /etc/letsencrypt/live directory

3. Configure nginx

Server {listen 80; server {listen 80; server {listen 80; listen [::]:80; server_name www.domain.com domain.com; add_header Strict-Transport-Security max-age=15768000; return 301 https://$server_name$request_uri; Add listen 443 and make the following changes based on your domain name. Server {listen 443 SSL http2; server {listen 443 SSL http2; server_name www.domain.com domain.com; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; root /var/www/domain; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:! ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:! RC4-SHA:! aNULL:! eNULL:! LOW:! 3DES:! MD5:! EXP:! CBC:! EDH:! kEDH:! PSK:! SRP:! kECDH; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 60m; Location / {proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Nginx-Proxy true; proxy_cache_bypass $http_upgrade; proxy_pass http://nuxtapp; Nuxt} location/API / {proxy_pass http://127.0.0.1:8000; proxy_set_header Host $host; } # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }Copy the code

5. Restart nginx

sudo nginx -s reload
Copy the code

Refresh the page. HTTPS has taken effect

Let’s Encrypt expires in 3 months by default. We need to set the Cerbot client to automatically update its certificate. Crontab is needed here

Crontab -e # Enter I, enter insert mode, and write update command in the following format: 0 0 3 * * certbot renew --force-renew --renew-hook "nginx-s reload" # hold shfit, enter :wqCopy the code

OK! The original link: www.helloque.site/article/20