How to prevent ssl certificate expiration in nginx

藏色散人
Release: 2019-08-27 10:50:58
Original
7875 people have browsed it

How to prevent ssl certificate expiration in nginx

How does nginx prevent ssl certificate expiration?

nginx configures free SSL certificates and regular certificate updates

Environment contos 6, certificate issuance Let's Encrypt

The premise for certificate generation is that the domain name is Available, that is, it has been registered and has been resolved to a specific IP by DNS

1. Install epel,

>yum install epel-release
Copy after login

2. Download the certbot certificate generation tool certbot-auto

>wget https://dl.eff.org/certbot-auto --no-check-certificate
Copy after login

3 , Installation tool dependencies

>chmod +x certbot-auto
>./certbot-auto -n
Copy after login

4. Generate certificate

Single domain name:

>./certbot-auto certonly --email my@163.com --agree-tos --no-eff-email --webroot -w /usr/local/nginx/html/xue/ -d www.xue37.cn
Copy after login

Note: Replace email, website directory and domain name

Multiple domain names:

>./certbot-auto certonly --email my@163.com --agree-tos --no-eff-email --webroot -w /usr/local/nginx/html/xue/ -d www.xue37.cn -d xue37.cn
Copy after login

The certificate is generated in the /etc/letsencrypt/live/www.xue37.cn/ directory (there will be a prompt message after executing the command at the specific generated address)

5. Certificate extension (because of the validity period of the certificate is 90 days)

The certbot-auto tool supports certificate extension operations, so you can use crontab scheduled tasks to automatically extend the certificate at a scheduled time

>0 3 * * * /root/certbot-auto renew --disable-hook-validation --renew-hook "/usr/local/nginx/sbin/nginx -s reload"
Copy after login

Perform certificate extension at 3 o'clock every day, and the crontab expression can be Baidu

Note:

You can execute it separately first:

/root/certbot-auto renew --disable-hook-validation --renew-hook "/usr/local/nginx/sbin/nginx -s reload"
Copy after login

I am prompted here The following certs are not due for renewal yet, which means that the certificate has not expired and there are no other errors. Therefore, in order to prevent the certificate from expiring for too long, you can set it up to perform extension operations every day

6. Add nginx certificate configuration

server
{
listen 443 ssl;
server_name www.xue37.cn;     ##这里是你的域名
ssl_certificate /etc/letsencrypt/live/www.xue37.cn/fullchain.pem;    #前面生成的证书,改一下里面的域名就行
ssl_certificate_key /etc/letsencrypt/live/www.xue37.cn/privkey.pem;   #前面生成的密钥,改一下里面的域名就行
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
access_log /data/application/logs/xue.access.log main;
location ^~ /bot {
proxy_pass http://xue-server;
include proxy-params.conf;
}
location / {
root html/xue;
index index.html index.htm;
}
location = /50x.html {
root html;
}
}
Copy after login

7. Set 80 port 301 to 443

Modify nginx configuration:

server
{
listen 80;
server_name localhost;
location /.well-known/ {
add_header Content-Type 'text/plain;';
root /usr/local/nginx/html/xue;
}
location / {
return 301 https://www.xue37.cn$request_uri;
}
}
Copy after login

Note: nginx needs to be restarted after modification:/usr/local/nginx/sbin/nginx -s reload

Note: nginx configuration needs to be processed

location ~ /\.
{
deny all;
}
Copy after login

Delete or comment out this configuration or add it in front of this configuration (please ignore it if there is no such configuration)

location ~ /.well-known {
allow all;
}
Copy after login

For more Nginx related technical articles, please visit Nginx usage tutorial column for learning!

The above is the detailed content of How to prevent ssl certificate expiration in nginx. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template