Let 's 암호 화 인증서 설치

wget https://dl.eff.org/certbot-auto

chmod a+x ./certbot-auto

./certbot-auto

./certbot-auto certonly --manual -d *.minirplus.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

IMPORTANT NOTES:

 - The following errors were reported by the server:

   Domain: minirplus.com

   Type:   connection

   Detail: DNS problem: SERVFAIL looking up TXT for

   _acme-challenge.minirplus.com

   To fix these errors, please make sure that your domain name was

   entered correctly and the DNS A/AAAA record(s) for that domain

   contain(s) the right IP address. Additionally, please check that

   your computer has a publicly routable IP address and that no

   firewalls are preventing the server from communicating with the

   client. If you're using the webroot plugin, you should also verify

   that you are serving files from the webroot path you provided.

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel):

-------------------------------------------------------------------------------

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about EFF and

our work to encrypt the web, protect its users and defend digital rights.

-------------------------------------------------------------------------------

(Y)es/(N)o:

-------------------------------------------------------------------------------

Please deploy a DNS TXT record under the name

_acme-challenge.minirplus.com with the following value:

xVloe7V1kMEd2ZlOLlUxv-HltYfTDaMhrrwKjFU47DU

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------

Press Enter to Continue

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/minirplus.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/minirplus.com/privkey.pem

   Your cert will expire on 2018-06-19. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again. To non-interactively renew *all* of your certificates, run

   "certbot-auto renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

openssl dhparam -out /etc/letsencrypt/live/dhparams.pem 2048

server {
      

  listen 80;

  server_name example.com www.example.com;

  return 301 https://example.com$request_uri;

}

server {
      

    listen 443 ssl;

    server_name example.com www.example.com;

    # 配置站点证书文件地址

    ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;

    # 配置证书私钥

    ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;

    # 配置 Diffie-Hellman 交换算法文件地址

    ssl_dhparam          /etc/letsencrypt/live/dhparams.pem;

    # 配置服务器可使用的加密算法

    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

    # 指定服务器密码算法在优先于客户端密码算法时，使用 SSLv3 和 TLS 协议

    ssl_prefer_server_ciphers  on;

    # ssl 版本 可用 SSLv2,SSLv3,TLSv1,TLSv1.1,TLSv1.2 

    # ie6 只支持 SSLv2,SSLv3 但是存在安全问题, 故不支持

    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;

    # 配置 TLS 握手后生成的 session 缓存空间大小 1m 大约能存储 4000 个 session

    ssl_session_cache          shared:SSL:50m;

    # session 超时时间

    ssl_session_timeout        1d;

    # 负载均衡时使用 此处暂时关闭 详情见 https://imququ.com/post/optimize-tls-handshake.html 

    # 1.5.9 及以上支持

    ssl_session_tickets off;

    # 浏览器可能会在建立 TLS 连接时在线验证证书有效性，从而阻塞 TLS 握手，拖慢整体速度。OCSP stapling 是一种优化措施，服务端通过它可以在证书链中封装证书颁发机构的 OCSP（Online Certificate Status Protocol）响应，从而让浏览器跳过在线查询。服务端获取 OCSP 一方面更快（因为服务端一般有更好的网络环境），另一方面可以更好地缓存 以上内容来自 https://imququ.com/post/my-nginx-conf-for-wpo.html

    # 1.3.7 及以上支持

    ssl_stapling               on;

    ssl_stapling_verify        on;

    # 根证书 + 中间证书

    ssl_trusted_certificate    /etc/letsencrypt/live/example.com/fullchain.pem;

    # HSTS 可以告诉浏览器，在指定的 max-age 内，始终通过 HTTPS 访问该域名。即使用户自己输入 HTTP 的地址，或者点击了 HTTP 链接，浏览器也会在本地替换为 HTTPS 再发送请求 相关配置见 https://imququ.com/post/sth-about-switch-to-https.html

    add_header Strict-Transport-Security max-age=60;

    # 在此填写原本 http 协议中的配置

}

service nginx restart

sudo systemctl reload nginx

./certbot-auto renew

    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/vps

    ServerSignature Off

        Options -Indexes

        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/vps

        ServerSignature Off

            Options -Indexes

        SSLEngine on

        SSLCertificateFile /etc/letsencrypt/live/minirplus.com/fullchain.pem;

        SSLCertificateKeyFile /etc/letsencrypt/live/minirplus.com/privkey.pem