Debian jessie 安装 Let’s Encrypt 证书启用 https

安装certbot 并获取证书

#apt-get install certbot -t jessie-backports

#certbot certonly --webroot -w /home/www/your_domain_name -d your_domain_name.com -d www.your_domain_name.com

运行结果：
# certbot certonly --webroot -w /home/www/your_domain_name -d your_domain_name.com -d www.your_domain_name.com


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/your_domain_name.com/fullchain.pem. Your cert will
   expire on 2016-12-26. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

测试自动更新并设置自动更新

Let's Encrypt certificates last for 90 days, so it's highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:
certbot renew --dry-run 
运行命令：
# certbot renew --dry-run
输出：
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/your_domain_name.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)


Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/your_domain_name.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)


IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.


设置定时任务，每天运行两次：
Note:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.


编辑 /etc/crontab ,增加如下的行，每天运行两次:
10 2 * * * root certbot renew --quiet
15 2 * * * root service nginx restart
10 3 * * * root certbot renew --quiet
15 3 * * * root service nginx restart

参考:
https://certbot.eff.org/#debianjessie-nginx
https://letsencrypt.org/

配置nginx

修改nginx对应配置文件，并重启nginx：

参考：
http://nginx.org/en/docs/http/configuring_https_servers.html


#设置非安全连接永久跳转到安全连接
server{
    listen 80;
    server_name your_domain_name.com www.your_domain_name.com;
    #告诉浏览器有效期内只准用 https 访问
    add_header Strict-Transport-Security max-age=15768000;
    #永久重定向到 https 站点
    return 301 https://$server_name$request_uri;
}


server {
    listen 443 ssl;
    server_name your_domain_name.com www.your_domain_name.com;
    root /usr/share/nginx/html/wordpress;
 
    #证书路径
    ssl_certificate /etc/letsencrypt/live/your_domain_name.com/fullchain.pem;
    #私钥路径
    ssl_certificate_key /etc/letsencrypt/live/your_domain_name.com/privkey.pem;
    #安全链接可选的加密协议
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #可选的加密算法,顺序很重要,越靠前的优先级越高.
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
    #在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.
    ssl_prefer_server_ciphers on;

}