# sudo apt-get update
# sudo apt-get install git apt-get update
# apt-get install git bc
# service nginx stop
# git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
# cd /opt/letsencrypt
# ./letsencrypt-auto certonly --standalone
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xlinux.website/fullchain.pem. Your cert will
expire on 2016-05-24. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# vim /etc/nginx/sites-available/default
# 把 80 port 都倒入到 https 443 port
# HTTP 狀態 301/302 說明
# 301: 要求的網頁已經永久改變網址。此狀態要求用戶端未來在連結此網址時應該導向至指定的 URI。
# 302: 物件已移動,並告知移動過去的網址。針對表單架構驗證,這通常表示為「物件已移動」。
# 要求的資源暫時存於不同的 URI 底下。由於重新導向可能偶而改變,
# 用戶端應繼續使用要求 URI 來執行未來的要求。
# 除非以 Cache-Control 或 Expires 標頭欄位表示,
# 此回應才能夠快取。
server {
listen 80;
server_name xlinux.website;
return 301 https://$host$request_uri;
# rewrite ^ https://xlinux.webiste$request_uri? permanent;
}
# 把前面兩行註解掉
server {
#listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
server_name xlinux.website www.xlinux.website;
ssl_certificate /etc/letsencrypt/live/xlinux.website/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xlinux.website/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';bc
改好後檢查一下設定檔是否 OK
# nginx -c /etc/nginx/nginx.conf -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 啟動 Nginx
# server nginx start
Let's Encrypt's 效期有 90 天 , 但官方網站說 建議60 天就更新
新增 location ~ /.well-known { allow all; }
# cd /opt/letsencrypt/
# ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/var/www/html -d linux.xxxx -d www.xlinux.xxx Checking for new version... Requesting root privileges to run letsencrypt... /home/ubuntu/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade certonly -a webroot --agree-twww/html -d www.xlinux.xxxx -d www.xlinux.xxxx IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.xlinux.website/fullchain.pem. Your cert will expire on 2016-05-26. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
service nginx reload
bulid script
# cp /opt/letsencrypt/examples/cli.ini /etc/letsencrypt/live/renew.ini
# vim /etc/letsencrypt/live/renew.ini
rsa-key-size = 4096
email = fifixxxxxx@gmail.com
domains = xlinux.xxxx, www.xlinux.xxxx
webroot-path = /var/www/html
# /opt/letsencrypt/letsencrypt-auto certonly -a webroot --renew-by-default --config /etc/letsencrypt/live/renew.ini
# 撰寫 Cront 自動更新
30 2 * * 1 /xxxxxxxxx >> /var/log/renewal.log
到 Qualys SSL 驗證 https://www.ssllabs.com/
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
Weak Diffie-Hellman 問題,Diffie-Hellman 預設長度不夠
使用 openssl 產生 4096 bit tell nginx to use it for DHE key-exchange:
# cd /etc/ssl/certs
# openssl dhparam -out dhparam.pem 4096 ( 這個會跑很久 , 在 AWS haw SSD 上跑要十五分鐘 ...... )
# vim /etc/nginx/sites-enabled/default
server {
#listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
server_name xlinux.website www.xlinux.xxxx;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_certificate /etc/letsencrypt/live/xlinux.xxxx/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xlinux.xxxx/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=31536000;
沒有留言:
張貼留言