This article is synchronized with the personal Github blog: https://github.com/johnnian/Blog/issues/8 Welcome to leave a message.
Recently, I've been playing the Wechat app. I have the following programs on hand:
- A Cloud Server: CentOS 7
- Multiple primary domain names
During the development and testing process, for some reasons, we want to make the A and B domain names at hand point to port 443 of the cloud server to support HTTPS.
Nginx supports the SNI extension of TLS protocol (multiple domain names with different certificates can be supported on the same IP), just need to reinstall Nginx to support TLS.
Install Nginx
[root]# wget http://nginx.org/download/nginx-1.12.0.tar.gz [root]# tar zxvf nginx-1.12.0.tar.gz [root]# cd nginx-1.12.0 [root]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module \ --with-openssl=./openssl-1.0.1e \ --with-openssl-opt="enable-tlsext"
Note: In the process of installation, we found that there are some libraries missing in the environment of cloud server. After downloading, we re-execute Nginx. / configure instructions. The specific operations are as follows:
[root]# wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.35/pcre-8.35.tar.gz [root]# tar zxvf pcre-8.35 [root]# yum -y install gcc [root]# yum -y install gcc-c++ [root]# yum install -y zlib-devel [root]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module \ --with-openssl=./openssl-1.0.1e \ --with-openssl-opt="enable-tlsext" \ --with-pcre=./pcre-8.35
Configure Nginx
When purchasing a domain name, if the domain name provider has a free SSL certificate, it will use it directly; if not, Let's Encript can be used to generate a free CA certificate.
Open the configuration of Nginx: vi/etc/nginx/nginx.conf
... server { listen 443 ssl; listen [::]:443 ssl; server_name abc.com; root /usr/share/nginx/html; ssl_certificate "/root/keys/abc.com.pem"; ssl_certificate_key "/root/keys/abc.com.private.pem"; include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 443 ssl; listen [::]:443 ssl; server_name def.com; root /usr/share/nginx/html; ssl_certificate "/root/keys/def.com.pem"; ssl_certificate_key "/root/keys/def.com.private.pem"; include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
When the configuration is complete, reload Ngixn: nginx-s reload
Apply for a free CA certificate
In the absence of an SSL certificate, Let's Encript, a CA certificate, can be obtained free of charge in the following way.
Step 1: Install the official Let's Encrypt client, CetBot
[root]# yum install -y epel-releasesudo [root]# yum install -y certbot
Step 2: Configure the configuration file of Nginx and add the following configuration to the Server module (listening on port 80):
CertBot generates a random file when validating the server domain name, and then the server of CertBot accesses your file via HTTP, so make sure your Nginx is configured so that it can be accessed.
server { listen 80 default_server; ... location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /usr/share/nginx/html; } location = /.well-known/acme-challenge/ { return 404; } }
Reload Nginx: nginx-s reload
Step 3: Apply for an SSL certificate
[root]# certbot certonly --webroot -w /usr/share/nginx/html/ -d your.domain.com
During installation, you will be prompted to enter a mailbox for updating CA certificates.
After successful installation, the CA certificate will be generated by default at / etc/letsencrypt/live/your.domain.com/.
|-- fullchain.pem |-- privkey.pem
Step 4: Configure Nginx
server { listen 443 ssl; listen [::]:443 ssl; server_name def.com; root /usr/share/nginx/html; ssl_certificate "/etc/letsencrypt/live/your.domain.com/fullchain.pem"; ssl_certificate_key "/etc/letsencrypt/live/your.domain.com/privkey.pem"; include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
After configuration, reload Nginx
Step 5: Automatically update certificates
Update the certificate by simulation at the command line
certbot renew --dry-run
If the simulation update is successful, the crontab-e command is used to enable the automatic update task:
[root]# crontab -e 30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log