使用let's Encrypt給網站加入https同時支持http2

1.若是python版本是2.6請運行

yum install python-argparse.noarch

2.重點 下載腳本 

wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh
chmod +x letsencrypt.sh
vi letsencrypt.conf

3.配置

ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="example.com.key"
DOMAIN_DIR="/var/www/example.com"
DOMAINS="DNS:example.com,DNS:whatever.example.com"
#ECC=TRUE
#LIGHTTPD=TRUE

執行過程當中會自動生成須要的 key 文件。其中 ACCOUNT_KEY 爲帳戶密鑰， DOMAIN_KEY 爲域名私鑰， DOMAIN_DIR 爲域名指向的目錄，DOMAINS 爲要籤的域名列表， 須要 ECC 證書時取消 #ECC=TRUE 的註釋，須要爲 lighttpd 生成 pem 文件時，取消#LIGHTTPD=TRUE 的註釋。

./letsencrypt.sh letsencrypt.conf

 

PS:若是你把域名 DNS 解析放在國內，這一步極可能會遇到相似這樣的錯誤  能夠使用goddy的dns服務

ValueError: Wrote file to /home/xxx/www/challenges/oJbvpIhkwkBGBAQUklWJXyC8VbWAdQqlgpwUJkgC1Vg, but couldn't download http://www.yoursite.com/.well-known/acme-challenge/oJbvpIhkwkBGBAQUklWJXyC8VbWAdQqlgpwUJkgC1Vg

 

在 nginx 裏添加 ssl 相關的配置

listen 80;
        listen 443 ssl http2;
        server_name www.example.com example.com;
        index index.html;
        root /home/www;
        if ($server_port = 80) {
                return 301 https://$server_name$request_uri;
        }
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_certificate     /ssl/example.chained.crt;
        ssl_certificate_key /ssl/example.com.key;
        location / {
                rewrite /wp-admin$ $scheme://$host$uri/ permanent;
                try_files $uri $uri/ /index.php?$args;
        }
        include enable-php.conf;
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
                expires      30d;
                access_log   off;
                set $local yes;
                valid_referers none *.example.com mp.weixin.qq.com;
                if ($invalid_referer) {
                        set $local no;
                }
                if ($local = no) {
                        return 404;
                }
        }
        location ~ .*\.(js|css)?$ {
                expires      12h;
                access_log   off;
        }
#方便生成證書
        location ~ /.well-known {
               allow all;
        }
        error_page 404 = /404.html;
        access_log  /home/wwwlogs/www.example.com_access.log  access;

 

說明：nginx從1.9.5版本開始支持http2，其次編譯安裝的時候有附帶http_v2_module，最後若是經過chrome瀏覽器的chrome://net-internals/#http2標籤頁沒發現你的網站在列表中有一種多是nginx編譯使用的ssl版本過低，openssl版本必須高於1.0.1

http2支持更多細節： 

https://zhangge.net/5114.html 

http://www.jackieathome.net/archives/437.html

驗證HTTP2是否生效

1驗證curl是否支持http2協議

curl -V



curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

2若是不支持http2升級curl

vim /etc/yum.repos.d/city-fan.repo

內容
[CityFan]
name=City Fan Repo
baseurl=http://nervion.us.es/city-fan/yum-repo/rhel$releasever/$basearch/
enabled=1
gpgcheck=0




yum clean all
yum -y install libcurl

3驗證

curl --http2 https://so.taoerqu.com -i

 

定時任務更新證書

每一個月自動更新一次證書，能夠在腳本最後加入 service nginx reload等從新加載服務。

0 0 1 * * /etc/nginx/certs/letsencrypt.sh /etc/nginx/certs/letsencrypt.conf >> /var/log/lets-encrypt.log 2>&1

https://github.com/xdtianyu/scripts/tree/master/lets-encrypt

http://www.chinaz.com/web/2015/1221/486106_2.shtml

https://imququ.com/post/letsencrypt-certificate.html

https://community.centminmod.com/threads/letsencrypt-ssl-certificates-and-windows-xp-workarounds.5272/page-2