Recently I want to build an HTTPS server, but the online information is still difficult to understand. I hope to record it after I successfully build it
The prerequisite is nginx and PM2, which is a powerful daemon tool
npm install pm2 -g
Copy the codeInstall the acme. Sh
curl https://get.acme.sh | sh
Copy the codeGenerate a certificate
Acme. sh implements all the authentication protocols supported by the ACME protocol. Generally, there are two ways to verify: // Disable nginx, Open < domain >. Com the default port is 80 static server and restart the Web server, xxx.com replaced with your own domain name Such as baixxdu.com / / view the current nginx process pid (e.g., 2072, 2074) ps - ef | grep Nginx // Kill process 2072 2074 kill -9 2072 2074 // apply for issuing SSL certificate // Change directory CD /.acme.sh sometimes run issuing command at /root/.acme.sh // it will go to /home/wwwroot/xxx.com/ create a.well-known folder, // and Let's Encrypt will access that file using the domain name you want to register, It might go to the // http://xxx.com/.well-known/ path. So make sure /home/wwwroot/xxx.com/ can access pm2 serve. 80 --name ca under /home/wwwroot/xxx.com/ (create one if not), set up a pm2 static server, and then acme.sh --issue -d xxx.com -d www.xxx.com --webroot /home/wwwroot/xxx.com/ /* * successful execution of the above command will get output similar to the following: [Fri Oct 15 15:10:16 CST 2016] Renew: 'xxx.com' [Fri Oct 15 15:10:16 CST 2016] Single domain='xxx.com' [Fri Oct 15 15:10:16 CST 2016] Getting domain auth token for each domain [Fri Oct 15 15:10:16 CST 2016] Getting webroot for domain='xxx.com' [Fri Oct 15 15:10:16 CST 2016] _w='/home/wwwroot/xxx.com/' [Fri Oct 15 15:10:16 CST 2016] Getting new-authz for domain='xxx.com' [Fri Oct 15 15:08:57 CST 2016] The new-authz request is ok. [Fri Oct 15 15:08:57 CST 2016] Verifying:xxx.com [Fri Oct 15 15:09:01 CST 2016] Success [Fri Oct 15 15:09:01 CST 2016] Verify finished, start to sign. [Fri Oct 15 15:09:02 CST 2016] Cert success. -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- [Fri Oct 15 15:09:02 CST 2016] Your cert is in /root/.acme.sh/xxx.com/www.your-app.com.cer [Fri Oct 15 15:09:02 CST 2016] Your cert key is in /root/.acme.sh/xxx.com/www.your-app.com.key [Fri Oct 15 15:09:04 CST 2016] The intermediate CA cert is in /root/.acme.sh/xxx.com/ca.cer [Fri Oct 15 15:09:04 CST 2016] And the full chain certs is there: /root/.acme.sh/xxx.com/fullchain.cer */Copy the codeCopy certificates to Nginx or another service
After the certificate is generated, you need to copy the certificate to the place where you really need it. The certificates generated by default are stored in the ~/.acme.sh/ installation directory. Do not directly use the files in this directory. Such as using XFTP root/.acme.sh/xxx.com.key/fullchain.cer and/root/.acme.sh/xxx.com/fullchain.cer In the/etc/nginx/SSL/fullchain cer and/etc/nginx/ssl/xxx.com.key replace your domain name xxx.com / * * the above command success will be similar to the following output [Fri Oct 15 15:29:57 CST 2016] Installing key to:/etc/nginx/ssl/<domain>.key [Fri Oct 15 15:29:57 CST 2016] Installing full chain To: / etc/nginx/SSL / < domain >. The key. The pem. * / / / generates dhparam pem file, configure nginx useful behind the openssl dhparam - out/etc/nginx/SSL/dhparam pem 2048Copy the codethen
acme.sh --installcert -d <domain>.com \--key-file /etc/nginx/ssl/xxx.com.key \--fullchain-file The/etc/nginx/SSL/fullchain cer / / xxx.com replace your domain nameCopy the codeConfigure Nginx
HTTP {# add ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; # compatible with other old browser ssl_ciphers Settings, please visit https://wiki.mozilla.org/Security/Server_Side_TLS server {listen 80; server_name <mydomain>.com; return 301 https://<mydomain>.com; } server {# add listen 443 SSL; ssl_certificate /etc/nginx/ssl/fullchain.cer; ssl_certificate_key /etc/nginx/ssl/xxx.com.key; ssl_dhparam /etc/nginx/ssl/dhparam.pem; }}Copy the codeRestart the Nginx
/ usr/local/nginx/sbin/nginx / * * nginx not installed the SSL module complains, reference * http://blog.csdn.net/w410589502/article/details/72833283 * /Copy the code