sudo yum install epel-release -y

sudo yum install nginx -y

sudo systemctl start nginx
sudo systemctl enable nginx

sudo systemctl status nginx

sudo yum install epel-release -y
sudo yum install certbot python2-certbot-nginx -y

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

sudo crontab -e

0 0 * * * /usr/bin/certbot renew --quiet

mkdir -p /usr/local/nginx/ssl/private
#證書私鑰文件夾
mkdir -p /usr/local/nginx/ssl/certs
#證書請(qǐng)求文件夾

openssl genpkey -algorithm RSA -out /usr/local/nginx/ssl/private/nginx-selfsigned.key -pkeyopt rsa_keygen_bits:2048
#-algorithm指定證書算法 SRA
#-out 指定輸出目錄
#-pkeyopt 指定秘鑰長(zhǎng)度，2048標(biāo)準(zhǔn)安全
openssl req -new -key /usr/local/nginx/ssl/private/nginx-selfsigned.key -out /usr/local/nginx/ssl/certs/nginx-selfsigned.csr
#req -new 生成一個(gè)新的證書請(qǐng)求
#-key /usr/local/nginx/ssl/private/nginx-selfsigned.key 請(qǐng)求一個(gè)私鑰
#-out /usr/local/nginx/ssl/certs/nginx-selfsigned.csr 輸出到證書請(qǐng)求文件
openssl x509 -req -days 365 -in /usr/local/nginx/ssl/certs/nginx-selfsigned.csr -signkey /usr/local/nginx/ssl/private/nginx-selfsigned.key -out /usr/local/nginx/ssl/certs/nginx-selfsigned.crt
#x509標(biāo)準(zhǔn)證書
#-req -days 365 -in  /usr/local/nginx/ssl/certs/nginx-selfsigned.csr生成一個(gè)新的證書請(qǐng)求365天的
#-signkey  /usr/local/nginx/ssl/private/nginx-selfsigned.key指向私鑰地址
#-out  /usr/local/nginx/ssl/certs/nginx-selfsigned.crt指向證書地址
==================================證書簽發(fā)對(duì)話=====================================

其他字段說明（一般在用 openssl req -new -key ... 生成 CSR 時(shí)會(huì)問）

    Country Name (2 letter code): 國(guó)家代碼（必須 2 位，例如 CN、US）

    State or Province Name: 省/州全名，例如 Zhejiang

    Locality Name: 城市，例如 Hangzhou

    Organization Name: 公司或組織名，例如 MyCompany Ltd

    Organizational Unit Name: 部門名，例如 IT Department（可留空）

    Common Name (e.g. server FQDN): 你的域名，例如 example.com

    Email Address: 郵箱地址，例如 admin@example.com

vim /usr/local/nginx/conf/nginx.conf

server {
    listen 443 ssl;
    server_name look.com www.look.com;

    ssl_certificate /usr/local/nginx/ssl/certs/nginx-selfsigned.crt;
    #指定密鑰路徑
    ssl_certificate_key /usr/local/nginx/ssl/private/nginx-selfsigned.key;
    #指定證書路徑
    ssl_protocols TLSv1.2 TLSv1.3;
    #證書版本
    ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
    #定義加密套件?？梢愿鶕?jù)安全需求選擇合適的加密方法。
    #openssl版本低的解決方法
    #一、修改為ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    #二、升級(jí)openssl版本
    ssl_prefer_server_ciphers on; 
    #強(qiáng)制服務(wù)器優(yōu)先選擇加密套件。

    location / {
        root /usr/share/nginx/html;
        index index.html;
    }
}

server {
    listen 80;
    server_name benet.com www.benet.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    ...
}

ssl_protocols TLSv1.2 TLSv1.3;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

sudo openssl dhparam -out /usr/local/nginx/ssl/certs/dhparam.pem 2048

ssl_dhparam /usr/local/nginx/ssl/certs/dhparam.pem;

ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';

sudo nginx -t

sudo systemctl restart nginx

curl -I https://look.com