letsencrypt在nginx下的配置

由于是在segmentfault网站上看到letsencrypt有提供免费的ssl证书，由于决定在CentOS上安装试用一下。

安装过程很简单，按照教程一步步来就能搞定：

$ git clone https://github.com/certbot/certbot
$ cd certbot
$ ./certbot-auto --help

可是教程的下一步就有问题了，安装完以后的目录下并无certbot这个可执行文件，而只有certbot-auto，但其实它们两个是一回事，直接用就能够。

当我执行./certbot-auto时，出现了如下错误：

Error:  Multilib version problems found. This often means that the root
       cause is something else and multilib version checking is just
       pointing out that there is a problem. Eg.:

         1. You have an upgrade for openssl which is missing some
            dependency that another package requires. Yum is trying to
            solve this by installing an older version of openssl of the
            different architecture. If you exclude the bad architecture
            yum will tell you what the root cause is (which package
            requires what). You can try redoing the upgrade with
            --exclude openssl.otherarch ... this should give you an error
            message showing the root cause of the problem.

         2. You have multiple architectures of openssl installed, but
            yum can only see an upgrade for one of those arcitectures.
            If you don't want/need both architectures anymore then you
            can remove the one with the missing update and everything
            will work.

         3. You have duplicate versions of openssl installed already.
            You can use "yum check" to get yum show these errors.

感受上好像是openssl版本不匹配，因而执行

yum update openssl

而后再次执行./certbot-auto，此次就没问题了。

先退出界面，而后执行

./certbot-auto --help

此次发现多了一些内容。而后执行：

./certbot-auto certonly --standalone -d www.myserver.com

由于是standalone，它试图在80端口上启动一个服务器，可是由于80端口已经被nginx占用，因此执行不成功，须要暂时停用一下nginx。由于我不想中断服务，因此我手动把nginx停用，把之前备用的一个apache启动起来，占住80端口以提供服务。这样我就再也不须要standalone参数，而可使用apache参数了，以下：

./certbot-auto certonly --apache -d www.myserver.com

但又出现了错误，它在443的虚拟主机上找不到个人服务器，原来我只在80端口上配置了虚拟主机，因而在Apache的conf文件上胡乱配上一个虚拟主机，以便使用443端口。但仍是链接不通。报以下错误：

- The following errors were reported by the server:

   Domain: www.myserver.com
   Type:   connection
   Detail: Failed to connect to host for DVSNI challenge

仔细一想，原来是我在防火墙上把443端口禁用了，打开443端口后，终于成功！

- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.myserver.com/fullchain.pem. Your
   cert will expire on 2016-08-15. To obtain a new version of the
   certificate in the future, simply run Certbot again.

接下来，你会在上述目录下看到4个文件：
cert.pem@ chain.pem@ fullchain.pem@ privkey.pem@

这4个文件里，咱们在nginx配置中只会用到后2个，由于fullchain.pem就至关于cert.pem+chain.pem。

nginx的配置以下：

server {
    listen       443;
    server_name  www.myserver.com;
    root   /var/www/html;

    ssl                  on;
    ssl_certificate      /etc/letsencrypt/live/www.myserver.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/www.myserver.com/privkey.pem;

    location / {
        index  index.php index.html index.htm;
    }

    location ~ /\. {
        return 403;
    }

    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

最后还要记得配置80端口，这样它才会强行把全部指向80端口的http连接转变为https请求：

server {
    listen      80;
    server_name www.myserver.com;
    return 301 https://www.myserver.com$request_uri;
}

到止为止，重启nginx，终于能够在浏览器端看见那个漂亮的绿色小锁头了！

---

2016年6月9日补充：

其实在nginx下配置letsencrypt远没有那么麻烦，首先须要在ini文件中的server块中添加以下设置：

location ~ /.well-known {
    allow all;
}

主要目的是由于letsencrypt在验证时须要往这个文件夹下写文件验证，但其实你本身没必要建立这个文件夹。

而后你再执行以下语句：

./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d www.example.com

其他步骤同上。

---

更便捷的方法，请参考https://segmentfault.com/a/11...