堆栈内存溢出
  简体   繁体   English

如何使用nginx安装letsencrypt证书?

[英]How to install a letsencrypt cert with nginx?

 原文  2016-03-17 05:09:41       ssl/ nginx/ lets-encrypt

问题描述

I've used letsencrypt to install an SSL cert for the latest nginx on ubuntu. 我已经使用letsencrypt为ubuntu上的最新nginx安装了SSL证书。 The setup is fine and works great with the exception of: 设置很好,除了以下情况外,效果很好:

在此输入图像描述

I don't know enough about SSL to know what's going on but I have a suspicion: I installed the SSL cert for Apache a while back and just now moved to Nginx for it's http/2 support. 我不太了解SSL知道发生了什么,但我有一个怀疑:我已经为Apache安装了SSL证书了一段时间,刚刚转移到Nginx,因为它的http / 2支持。 As the nginx plugin is not stable yet I had to install the cert myself and this is what I did: 由于nginx插件不稳定但我必须自己安装证书,这就是我所做的:

In my nginx config ( /etc/nginx/conf/default.conf ) I added: 在我的nginx配置( /etc/nginx/conf/default.conf )中,我添加了: 

server {
    listen       80;
    server_name  [domain];
    return 301   https://$host$request_uri;
}

server {
    listen       443 http2;
    listen       [::]:443 http2;
    server_name  [domain];

    ssl on;
    ssl_certificate /etc/letsencrypt/live/[domain]/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem;
}

Is it possible that this breaks the chain somehow? 是否有可能以某种方式打破链条? What is the proper way here? 这里的正确方法是什么?

Thanks guys 多谢你们

1 个解决方案

解决方案1
 6 已采纳  2016-03-17 06:24:13

1) For strong Diffie-Hellman and avoid Logjam attacks see this great manual . 1)对于强大的Diffie-Hellman并避免Logjam攻击,请参阅这本伟大的手册

You need extend your nginx config with these directives (after you will generate dhparams.pem file): 您需要使用这些指令扩展您的nginx配置(在您生成dhparams.pem文件之后): 

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;

2) For correct certificate chain use fullchain.pem, not cert.pem, see this great tutorial for details. 2)对于正确的证书链使用fullchain.pem,而不是cert.pem,请参阅这个很棒的教程了解详细信息。

And you will get A grade :) 你会得到A级:)

3) and as bonus try this great service: 3)作为奖金尝试这项伟大的服务:

"Generate Mozilla Security Recommended Web Server Configuration Files" . “生成Mozilla安全建议的Web服务器配置文件”

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在nginx上使用letsencrypt配置多个域 - How to configure multiple domains with letsencrypt on nginx 使用通配符LetsEncrypt证书时,NGINX将子域重定向到根域的文档根 - NGINX redirecting subdomains to document root of root domain when using wildcard LetsEncrypt cert DigitalOcean和Letsencrypt-如何为HTTPS安装SSL - DigitalOcean & Letsencrypt - how to install SSL for HTTPS letsencrypt和Nginx 404错误 - letsencrypt and nginx 404 error Nginx让加密配置变慢 - Nginx letsencrypt configuration slow letsencrypt安装后如何修复路由器上的404 Nginx错误 - How to fix 404 nginx error on routers after letsencrypt installation 如何在我的 kubernetes 服务中使用证书管理器 letencrypt-prod? - How can I use Cert manager letsencrypt-prod in my kubernetes service? 如何将 SSL 证书添加到 asp.net core docker swarm +letsencrypt? - How to add SSL cert to asp.net core docker swarm + letsencrypt? 如何在Heroku Node Express应用程序中使用LetsEncrypt SSL证书? - How can I use a LetsEncrypt SSL cert in my Heroku Node Express app? letsencrypt ssl安装快捷方式 - letsencrypt ssl install shortcut
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM