系統要求
在開始使用 Let’s Encrypt 之前,請確保擁有主機管理櫂。檢查主機的 IP 位置和在域名的 DNS 建立 A Record 並且指向主機的 IP 位置。如果網站使用了 CDN,必須在建立 Let’s Encrypt 證書前暫停 CDN 的服務。
注意︰ Let’s Encrypt 仍在測試階段,請暫時不要應用至正式網站!
Let’s Encrypt 安裝步驟:
(1) 安裝源碼:
# git clone https://github.com/letsencrypt/letsencrypt /tmp/
# cd /tmp/letsencrypt
(2) 先暫停 nginx - 目前遇到的狀況只能使用 standalone 安裝..所以必需先關掉 nginx
# service nginx stop
(3) 使用預設的 script 安裝
# ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth
完成建立 SSL 證書之後,會出現下面的提示。請進入提示中的超連結檢查證書是否成功安裝。
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/adj.idv.tw/fullchain.pem. Your cert will
expire on 2016-03-12. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
預設會將 Key、憑證 產生在這邊:/etc/letsencrypt/live/adj.idv.tw/
(4) Nginx 設定檔範例:
QUOTE:
server {如果是第一次建立 SSL 證書,請自行建立「/etc/letsencrypt/options-ssl-nginx.conf」
listen 443 ssl;
server_name adj.idv.tw www.adj.idv.tw dz.adj.idv.tw;
ssl on;
ssl_certificate /etc/letsencrypt/live/adj.idv.tw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/adj.idv.tw/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
...
}
QUOTE:
ssl_session_cache shared:SSL:1m;再來重啟 nginx 服務就可以囉~
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# Using list of ciphers from "Bulletproof SSL and TLS"
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";