server
{
listen 80;
#listen [::]:80;
server_name www.diandiandongli.cn diandiandongli.cn;
return 301 https://www.diandiandongli.cn$request_uri;
}
server
{
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/www.diandiandongli.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.diandiandongli.cn/privkey.pem;
注意检查上面证书的路径,live下的证书文件夹名是否含有www,如果没有,请在上面两行中删除 www.
ssl_ciphers “EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
HSTS (ngx_http_headers_module is required) (31536000 seconds = 12 months)
add_header Strict-Transport-Security “max-age=31536000” always;
OCSP Stapling —
fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
index index.html index.htm index.php default.html default.htm default.php;
server_name www.diandiandongli.cn;
root /home/wwwroot/www.diandiandongli.cn;
include wordpress.conf;
#error_page 404 /404.html;
include enable-php.conf;
location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location /wp-content/uploads/ {
location ~ .*.(php)?$ {
deny all;
}
}
location ~ .*.(js|css)?$
{
expires 12h;
}
location ~ /.
{
deny all;
}
access_log off;
}
server
{
listen 80;
#listen [::]:80;
server_name www.jaxseo.me jaxseo.me;
return 301 https://www.jaxseo.me$request_uri;
}
server
{
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/www.jaxseo.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.jaxseo.me/privkey.pem;
注意检查上面证书的路径,live下的证书文件夹名是否含有www,如果没有,请在上面两行中删除 www.
ssl_ciphers “EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
HSTS (ngx_http_headers_module is required) (31536000 seconds = 12 months)
add_header Strict-Transport-Security “max-age=31536000” always;
OCSP Stapling —
fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
index index.html index.htm index.php default.html default.htm default.php;
server_name www.jaxseo.me;
root /home/wwwroot/www.jaxseo.me;
include wordpress.conf;
#error_page 404 /404.html;
include enable-php.conf;
location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location /wp-content/uploads/ {
location ~ .*.(php)?$ {
deny all;
}
}
location ~ .*.(js|css)?$
{
expires 12h;
}
location ~ /.
{
deny all;
}
access_log off;
}
server
{
listen 80;
#listen [::]:80;
server_name www.lhlights.com lhlights.com;
return 301 https://www.lhlights.com$request_uri;
}
server
{
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/www.lhlights.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.lhlights.com/privkey.pem;
注意检查上面证书的路径,live下的证书文件夹名是否含有www,如果没有,请在上面两行中删除 www.
ssl_ciphers “EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
HSTS (ngx_http_headers_module is required) (31536000 seconds = 12 months)
add_header Strict-Transport-Security “max-age=31536000” always;
OCSP Stapling —
fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
index index.html index.htm index.php default.html default.htm default.php;
server_name www.lhlights.com;
root /home/wwwroot/www.lhlights.com;
include wordpress.conf;
#error_page 404 /404.html;
include enable-php.conf;
location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location /wp-content/uploads/ {
location ~ .*.(php)?$ {
deny all;
}
}
location ~ .*.(js|css)?$
{
expires 12h;
}
location ~ /.
{
deny all;
}
access_log off;
}
so now i have 2 issue
1.when i view https://lhlights.com
NET::ERR_CERT_COMMON_NAME_INVALID
2.i can’t install ssl on diandiandongli.cn
can you help me install ssl?
thks
I can give you vps user + password
In your port 443 server block for lhlights.com you have this
But on port 80 you have this
I think they should be the same and I think the one on port 80 is correct so you might try changing the other one to match it.
Your other domains also seem to have the same problem but I don't know if that's why you're having trouble with diandiandongli.cn. It might be.
you mean i will add lhlight as attachment?
thks
在2018年02月02 18时39分, "John Morahan"letsencrypt@discoursemail.com写道:
> jmorahan
February 2 |
In your port 443 server block for lhlights.com you have this
mrzhang:
server_name www.lhlights.com;
But on port 80 you have this
mrzhang:
server_name www.lhlights.comlhlights.com;
I think they should be the same and I think the one on port 80 is correct so you might try changing the other one to match it.
Your other domains also seem to have the same problem but I don’t know if that’s why you’re having trouble with diandiandongli.cn. It might be.
Visit Topic or reply to this email to respond.
In Reply To
> mrzhang
February 2 |
lhlights.com server { listen 80; #listen [::]:80; server_name www.lhlights.comlhlights.com; return 301 https://www.lhlights.com$request_uri; } server { listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/www.lhlights.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/w…
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.
Yes, add lhlights.com after www.lhlights.com
Hi,jmoradan
thks a lot.it is very useful
are ok
but i have 2 more questions:
1.i want to set 301 from https://diandiandongli.cn to https://www.diandiandongli.cn
i write this rule on conf.
but can't be change
2.how i will increase the SSL Valid date
I follow this blog
use cron
I can use this way to set www.lhlights.com
but i can't set the second or the third domain
thks.
在2018年02月02 21时09分, "John Morahan"letsencrypt@discoursemail.com写道:
> jmorahan
February 2 |
Yes, add lhlights.com after www.lhlights.com
Visit Topic or reply to this email to respond.
In Reply To
> mrzhang
February 2 |
you mean i will add lhlight as attachment? thks 在2018年02月02 18时39分, "John Morahan"letsencrypt@discoursemail.com写道: > jmorahan February 2 | In your port 443 server block for lhlights.com you have this mrzhang: server_name www.lhlights.com; But on port 80 you have this mr…
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.
I believe the recommended way to do this with nginx is to create a second server block on port 443 so that the main one has just server_name diandiandongli.cn; and the new one has server_name www.diandiandongli.cn; and does the redirect. See ssl - Remove "www" and redirect to "https" with nginx - Server Fault for example.
The advice in that post does not really match up with our recommendations. We have provided a feature called certbot renew or certbot-auto renew (you may know that certbot and certbot-auto are the newer names for the programs previously called letsencrypt and letsencrypt-auto) which looks at all of the certificates in /etc/letsencrypt and attempts to renew any of them that are less than 1 month away from expiring. It uses the same authentication method that was used when each certificate was first obtained (for example, if you used --standalone when obtaining the certificate, then renew will also use --standalone for you).
The reason that this is preferred to the method suggested in the blog post is that they simply try to renew every certificate on the first day of every month. But if that fails randomly for some reason (for example if your server is not running at that time, or if there is a temporary network outage) twice in a row, the certificate might then expire. If you instead run certbot renew or certbot-auto renew every day, there are many more opportunities for it to succeed even if there is a temporary or random failure on one or more of the days when it would have tried to renew.
However, it's harder to test that this method is working correctly. The method in the blog post uses the option --renew-by-default, which was named in a confusing way and has now been renamed to --force-renewal (although the old form is still accepted by Certbot). This option causes Certbot to attempt to re-issue the specified certificate immediately (regardless of how close it is to expiring). Although we don't really recommend this in most circumstances, for example because it can cause you to encounter Let's Encrypt certificate issuance rate limits if you do it repeatedly, it's true that it's easier to test because you can see right away whether it worked.
Can you tell us which authentication method you've used for each certificate? Did you use --standalone, --nginx, --manual, or --webroot for each one? Are they all the same, or did you use different methods for some of the certificates?
Hi,Schoen
thank you for your detail explanation.
I used the same way to install SSL:
i want to renew the valid date
but i can't renew it if i follow his blog.
I understand your mean.
I need to use your method.
how do i know which authentication method i used?
how i will use your way to update valid date auto?
thks.
No.
Remove diandiandongli.cn from that line.
Then add a new server block on port 443. Add server_name diandiandongli.cn; to the new server block, along with all your ssl directives and a redirect. Something like this I suppose:
server
{
listen 443 ssl http2;
server_name www.diandiandongli.cn;
# I just copied your SSL directives
ssl_certificate /etc/letsencrypt/live/www.diandiandongli.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.diandiandongli.cn/privkey.pem;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
return 301 https://diandiandongli.cn$request_uri;
}
As one caution, instead of
ssl_ciphers “EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”;
that should probably say
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
(with straight ASCII quotes, not curly “smart” quotes)
1 Like
Argh, serves me right for copy-pasting without reading! (fixed, thanks!)
If you used this command
./certbot-auto certonly --standalone --email 2897xxx@qq.com -d www.example.com -d example.com
then your authentication method was standalone. This has a difficulty that it won't work for a renewal if the web server is running at the time of renewal. Certbot has a "hook" feature which can allow you to tell Certbot to stop the web server before the renewal and restarted it afterward. Alternatively, you could use a different authentication method.
The link at
describes using cron to autorenew, although as I mentioned, not exactly the way we would recommend. We would recommend running certbot-auto renew at least once per day, at least once any hooks have been specified to Certbot that will allow the renew to succeed unattended (without human intervention or supervision).
Like this?
在2018年02月03 08时49分, "John Morahan"letsencrypt@discoursemail.com写道:
> jmorahan
February 3 |
mrzhang:
your mean i need to change www.diandiandongli.cn behind of diandiandongli.cn?
No.
Remove diandiandongli.cn from that line.
Then add a new server block on port 443. Add server_name diandiandongli.cn; to the new server block, along with all your ssl directives and a redirect. Something like this I suppose:
server
{
listen 443 ssl http2;
server_name www.diandiandongli.cn;
# I just copied your SSL directives
ssl_certificate /etc/letsencrypt/live/www.diandiandongli.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.diandiandongli.cn/privkey.pem;
ssl_ciphers “EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
return 301 https://diandiandongli.cn$request_uri;
}
Visit Topic or reply to this email to respond.
In Reply To
> mrzhang
February 3 |
[change] your mean i need to change www.diandiandongli.cn behind of diandiandongli.cn? right?
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.
Sorry.
I copy-pasting my code as below,can you rechange it,then send me all?
server
{
listen 80;
#listen [::]:80;
server_name www.diandiandongli.cn diandiandongli.cn;
return 301 https://www.diandiandongli.cn$request_uri;
}
server
{
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/www.diandiandongli.cn-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.diandiandongli.cn-0001/privkey.pem;
注意检查上面证书的路径,live下的证书文件夹名是否含有www,如果没有,请在上面两行中删除 www.
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
HSTS (ngx_http_headers_module is required) (31536000 seconds = 12 months)
add_header Strict-Transport-Security "max-age=31536000" always;
OCSP Stapling ---
fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
index index.html index.htm index.php default.html default.htm default.php;
server_name www.diandiandongli.cn diandiandongli.cn;
root /home/wwwroot/diandiandongli.cn;
include wordpress.conf;
#error_page 404 /404.html;
include enable-php.conf;
location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location /wp-content/uploads/ {
location ~ .*.(php)?$ {
deny all;
}
}
location ~ .*.(js|css)?$
{
expires 12h;
}
location ~ /.
{
deny all;
}
access_log off;
}
在2018年02月03 09时12分, "John Morahan"letsencrypt@discoursemail.com写道:
> jmorahan
February 3 |
Argh, serves me right for copy-pasting without reading! (fixed, thanks!)
Visit Topic or reply to this email to respond.
In Reply To
> schoen Certbot engineer / EFF
February 3 |
As one caution, instead of ssl_ciphers “EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”; that should probably say ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5…
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.