letsencrypt在nginx下的配置

由於是在segmentfault網站上看到letsencrypt有提供免費的ssl證書，由於決定在CentOS上安裝試用一下。

安裝過程很簡單，按照教程一步步來就能搞定：

$ git clone https://github.com/certbot/certbot
$ cd certbot
$ ./certbot-auto --help

可是教程的下一步就有問題了，安裝完以後的目錄下並無certbot這個可執行文件，而只有certbot-auto，但其實它們兩個是一回事，直接用就能夠。

當我執行./certbot-auto時，出現瞭如下錯誤：

Error:  Multilib version problems found. This often means that the root
       cause is something else and multilib version checking is just
       pointing out that there is a problem. Eg.:

         1. You have an upgrade for openssl which is missing some
            dependency that another package requires. Yum is trying to
            solve this by installing an older version of openssl of the
            different architecture. If you exclude the bad architecture
            yum will tell you what the root cause is (which package
            requires what). You can try redoing the upgrade with
            --exclude openssl.otherarch ... this should give you an error
            message showing the root cause of the problem.

         2. You have multiple architectures of openssl installed, but
            yum can only see an upgrade for one of those arcitectures.
            If you don't want/need both architectures anymore then you
            can remove the one with the missing update and everything
            will work.

         3. You have duplicate versions of openssl installed already.
            You can use "yum check" to get yum show these errors.

感受上好像是openssl版本不匹配，因而執行

yum update openssl

而後再次執行./certbot-auto，此次就沒問題了。

先退出界面，而後執行

./certbot-auto --help

此次發現多了一些內容。而後執行：

./certbot-auto certonly --standalone -d www.myserver.com

由於是standalone，它試圖在80端口上啓動一個服務器，可是由於80端口已經被nginx佔用，因此執行不成功，須要暫時停用一下nginx。由於我不想中斷服務，因此我手動把nginx停用，把之前備用的一個apache啓動起來，佔住80端口以提供服務。這樣我就再也不須要standalone參數，而可使用apache參數了，以下：

./certbot-auto certonly --apache -d www.myserver.com

但又出現了錯誤，它在443的虛擬主機上找不到個人服務器，原來我只在80端口上配置了虛擬主機，因而在Apache的conf文件上胡亂配上一個虛擬主機，以便使用443端口。但仍是鏈接不通。報以下錯誤：

- The following errors were reported by the server:

   Domain: www.myserver.com
   Type:   connection
   Detail: Failed to connect to host for DVSNI challenge

仔細一想，原來是我在防火牆上把443端口禁用了，打開443端口後，終於成功！

- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.myserver.com/fullchain.pem. Your
   cert will expire on 2016-08-15. To obtain a new version of the
   certificate in the future, simply run Certbot again.

接下來，你會在上述目錄下看到4個文件：
cert.pem@ chain.pem@ fullchain.pem@ privkey.pem@

這4個文件裏，咱們在nginx配置中只會用到後2個，由於fullchain.pem就至關於cert.pem+chain.pem。

nginx的配置以下：

server {
    listen       443;
    server_name  www.myserver.com;
    root   /var/www/html;

    ssl                  on;
    ssl_certificate      /etc/letsencrypt/live/www.myserver.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/www.myserver.com/privkey.pem;

    location / {
        index  index.php index.html index.htm;
    }

    location ~ /\. {
        return 403;
    }

    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

最後還要記得配置80端口，這樣它纔會強行把全部指向80端口的http連接轉變爲https請求：

server {
    listen      80;
    server_name www.myserver.com;
    return 301 https://www.myserver.com$request_uri;
}

到止爲止，重啓nginx，終於能夠在瀏覽器端看見那個漂亮的綠色小鎖頭了！

---

2016年6月9日補充：

其實在nginx下配置letsencrypt遠沒有那麼麻煩，首先須要在ini文件中的server塊中添加以下設置：

location ~ /.well-known {
    allow all;
}

主要目的是由於letsencrypt在驗證時須要往這個文件夾下寫文件驗證，但其實你本身沒必要建立這個文件夾。

而後你再執行以下語句：

./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d www.example.com

其他步驟同上。

---

更便捷的方法，請參考https://segmentfault.com/a/11...