to configure course Let’s Encrypt SSL Nginx
This tutorial does not use any script to configure the Let's Encrypt certificate. It is also helpful for novices to get familiar with the https configuration. Appears in the tutorial linpx.com The domain name needs to be replaced with the domain name you want to sign. In addition, the tutorial was written after the practice on AliCloud ECS. Follow the tutorial and you will be issued successfully.
The most suitable CentOS 7. x for the tutorial, because CentOS 6. x needs to upgrade Python to 2.7
grant a certificate
After entering the terminal with root permission, first stop nginx (required)
CentOS 6.x:
service nginx stop
CentOS 7.x:
systemctl stop nginx
Then obtain the source code of Let's Encrypt
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
Then issue a certificate to your website
./letsencrypt-auto certonly --standalone --email i@linpx.com -d linpx.com -d www.linpx.com
! Note! Meaning!
(from https://pypi.python.org/simple/python2-pythondialog/ ) failed: <urlopen error [Errno -2] Name or service not known>
If this error occurs, the following configuration is required
mv /etc/resolv.conf /etc/resolv.conf.backup && vim /etc/resolv.conf
After opening the resolv.conf file, there should be nothing in it
Press i
Enter editing mode, copy the following contents, save and exit
nameserver 223.5.5.5 nameserver 8.8.8.8
Then re execute and issue a certificate to your website
./letsencrypt-auto certonly --standalone --email i@linpx.com -d linpx.com -d www.linpx.com
This is mainly to fix the DNS resolution failure on the server
After completing the above operations, Let's Encrypt has issued a certificate for your website
You can enter the following command to view
Ls/etc/letsencrypt/live/linpx.com (the domain name here is your issuing certificate domain name)
There will be four files in it
cert.pem chain.pem fullchain.pem privkey.pem
The first two are for Apache, and the last two are for Nginx
Configure Nginx
By default, you have enabled https, just replacing the certificate···
Open the Nginx conf configuration file corresponding to the website
Suppose my profile is in /usr/local/nginx/conf/vhost
Contents of
vim /usr/local/nginx/conf/vhost/www.linpx.com.conf
After opening, press i
Enter edit mode and find
ssl_certificate .............; ssl_certificate_key ............;
Modify to
ssl_certificate /etc/letsencrypt/live/linpx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/linpx.com/privkey.pem;
Don't forget to start Nginx
CentOS 6.x:
service nginx start
CentOS 7.x:
systemctl start nginx
So far, the certificate issuance and configuration of Let's Encrypt have been completed. Refresh your website and you will see the green locks
automatic renewal
Generally, the validity period of Let's Encrypt's certificate is only 90 days, so you need to set an automatic renewal task
Install crontabs first. Generally, you will be prompted that they have been installed
yum -y install crontabs
then
crontab -e
Add the following content in a new line, where the directory /root/letsencrypt
It is the directory where the letsencrypt configuration file was downloaded in the previous step
CentOS 6.x:
0 0 1 * * service nginx stop && ./ root/letsencrypt/letsencrypt-auto certonly --renew-by-default --email i@linpx.com -d linpx.com -d www.linpx.com && service nginx start
CentOS 7.x:
0 0 1 * * systemctl stop nginx && ./ root/letsencrypt/letsencrypt-auto certonly --renew-by-default --email i@linpx.com -d linpx.com -d www.linpx.com && systemctl start nginx
After adding, save and exit to view the scheduled task list
crontab -l
View and display that the scheduled task has been added successfully···
In this way, the server will automatically renew your Let's Encryption certificate on the first day of each month.
The auxiliary tutorials are as follows:
reference resources
- www.pckr.co.uk/letsencrypt-with-nginx-2/
- seryo.net/lets-encrypt-concise-tutorial. Seryo
- imququ.com/post/letsencrypt-certificate.html
This article is written by Chakhsu Lau Creation, adoption Knowledge Sharing Attribution 4.0 International License Agreement.
All articles on this website are original or translated by this website, except for the reprint/source. Please sign your name before reprinting.