First, environmental requirements

  1. git
  2. The openSSL version must be larger than 1.0.2
  3. Nginx is the latest stable version 1.12.2
  4. certBot

Two, the pre-installation environment

Please upgrade openSSL to version >1.0.2 and nginx>= 1.12.2

Nginx needs to be upgraded to version 1.12.2

2.1 installation certBot

CD/mkdir CD soft soft mkdir staticHtml / / behind the useful git clone https://github.com/certbot/certbotCopy the code

2.2 Configuring the Certbot Authentication Directory for Nginx

Switch to the conf.d directory of nginx. Open the configuration file for the HTTPS domain name and add the following words to the server module of the configuration file:

location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root     /soft/staticHtml;
}
Copy the code

Restart nginx for the mapping to take effect

service nginx restart
Copy the code

Apply for a certificate

sudo certbot certonly --webroot -w /soft/staticHtml/ -d your.domain.com
Copy the code

After a while, success prompts the following message

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/a.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/a.domain.com/privkey.pem
   Your cert will expire on 2018-07-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Copy the code

3.1 Parameter Description

3.1.1 –webroot

Certbot generates the directory where the domain name verification file resides.

3.1.2 – d

Specifies the domain name for which the certificate needs to be generated. Multiple domain names can be linked using -d. Such as:

-d a.domain.com -d b.domain.com -d c.domain.com
Copy the code

3.1.3 – email

Email address to receive important notifications about your account

-email [email protected]
Copy the code

3.1.4 –webroot

Place the authentication file at the root of the server’s web page

3.1.5 – w.

Specify the directory where the authentication file will be generated, and this directory can be accessed using the requested domain name for authentication.

Configure Nginx SSL

Copy the original HTTP nginx configuration file and modify and add the following configuration.

server {
        listen 443 ssl http2;

        ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;
}
Copy the code

Restart the nginx Server.

Open your browser to your.domain.com to see if HTTP support and HTTP2 are enabled successfully.

Five, software installation requirements

5.1 the git installed

You are advised to install it using yum

yum update
yum install git
Copy the code

5.2 openSSL installation

Nginx requires An openSSL version greater than 1.0.2. It is recommended to upgrade to 1.1.0+ because versions after this can support the more mobile-friendly Google ChaCha20 encryption (ARM optimized for faster and more power-saving).

First look at the openSSL version

openssl version
Copy the code

Download and install

CD/soft mkdir back wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz tar - ZXF openssl - 1.1.0 e. ar. Gz CD Openssl-1.0h./config make make test make install mv /usr/bin/openssl/soft/back -s/usr/local/bin/openssl/usr/bin/openssl # updated SSL link library ln -s/usr/local/lib64 / libssl. So. 1.1 / usr/lib64 / libssl. So. 1.1 ln -s/usr/local/lib64 / libcrypto. So. 1.1 / usr/lib64 / libcrypto. So. 1.1 # delete the old symbolic links the rm/bin/openssl # add new ln -s Run the following command to check the openssl version: /usr/local/bin/openssl/bin/opensslCopy the code

Also, restart nginx and type nginx -v

nginx version: Nginx /1.12.2 BUILT by GCC 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) Built with OpenSSL 1.1.0h 27 Mar 2018 TLS SNI support enabledCopy the code

Check whether the OpenSSL version has been changed to the latest version. If not, see 5.3 Recompiling to update Nginx

5.3

Download the latest nginx

CD/soft wget http://nginx.org/download/nginx-1.12.2.tar.gz tar - ZXF nginx - 1.12.2. Tar. Gz CD nginx - 1.12.2. Tar. GzCopy the code

View the compile configuration of the current system

nginx -V
config arguments:--prefix=/usr/share/nginx ..........
Copy the code

Copy and save the configuration behind config Arguments.

Configure nginx

./configure Paste the previous configuration hereCopy the code

If you are prompted with a warning that you do not have the required library installed, use yum to install the required library support.

Back up the previous nginx conf file

cp -r /etc/nginx/conf.d  /soft/back
Copy the code

Recompile and override the installation

make
make install
Copy the code

Restart the service

service nginx restart
Copy the code