SSL Configuration.md

阿里云配置免费的SSL证书

第一次尝试let's Encrypt 无果而终止。卡在了验证域名信息这一块。参考地址

https://github.com/we11cheng/WCStudy/blob/master/Ubuntu16.04%20Let%E2%80%99s%20Encrypt%20SSL%20%E9%85%8D%E7%BD%AE.md

失败原因如下图所示

第二次尝试——>成功。

• 登录阿里云控制面板-安全云盾-SSL证书

• 点击下载跳转帮助页面https://yundun.console.aliyun.com/?spm=a2c1d.8251892.aliyun_sidebar.19.3bc55b766ll1Iy&p=cas#/cas/download/1531196979685?regionId=

• 下载证书解压得到1531196979685.key 1531196979685.pem两个文件

• 服务器上新建/var/www/cert文件夹，将解压得到的证书上传到服务器/var/www/cert目录下，cert目录nginx根目录平级。

• 编辑nginx配置文件

vim /etc/nginx/sites-enabled/default

• 修改ssl配置部分ssl_certificate& ssl_certificate_key填写绝对路径，其他copy即可。

# SSL configuration
        ssl on;
        listen 443;
        server_name www.ipersistence.top;
        ssl_certificate   /var/www/cert/1531196979685.pem;
        ssl_certificate_key  /var/www/cert/1531196979685.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        

• 重启nginx

service nginx restart

• 访问自己的域名 https://www.ipersistence.top/ 生效~~

/etc/nginx/sites-enabled/default文件备份下(个人配置)

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 8001;
        listen [::]:80;
        server_name www.ipersistence.top;

        # SSL configuration
        ssl on;
        listen 443;
        server_name www.ipersistence.top;
        ssl_certificate   /var/www/cert/1531196979685.pem;
        ssl_certificate_key  /var/www/cert/1531196979685.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php7.0-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php7.0-fpm:
        #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}