注:因为是单个域名下的多个二级域名下的ssl配置,所以需要购买通配置型的ssl证书(之前购买的标准ssl证书只支持主域名)
服务器环境为centos7.8
服务器生成key
openssl req -new -newkey rsa:2048 -nodes -keyout name.key -out name.csr -subj "/CN=top-news.你的域名.com"
目录地下会生成name.csr name.key
cat name.csr
可以复制到 https://www.ssldun.com/tools/csr-decoder.php#results 进行解码,这一步只是查看自己加密的信息,没有其他作用
将csr复制到 godaddy
提交csr之后灯带审核下载证书,下载下来的证书如下,我们将crt合并一下
cat 871d9fca49b3655b gd_bundle-g2-g1.crt >> top-news.xxx.crt
然后配置nginx,以下是我的宝塔配置
nginx文件配置示例
listen 443 ssl http2;
server_name top-news.xxx.com www.xxx.com;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/test;
#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
ssl_certificate /www/xx/topnew.xxx.crt;
ssl_certificate_key /www/xx/name.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";
error_page 497 https://$host$request_uri;