申请免费证书

安装SSL证书
重启完毕之后，所有的服务就开始运行了。此时，服务器所有的TLS/SSL证书全部为自签，因此浏览器访问或者邮件客户端收发信时会收到不信任证书的提示。我们需要获取商业SSL证书。这里，我们将以免费的Let’s Encrypt证书为例配置SSL.

apt-get install certbot
若您的Ubuntu版本为18.04, 则需要在上条命令之前加上下面两行：

apt install software-properties-common
add-apt-repository ppa:certbot/certbot
然后，即可申请免费的Let’s Encrypt证书：

certbot certonly --webroot -d astock.eu.org -w /var/www/html/
以mx.qing.su为例，生成的证书地址为/etc/letsencrypt/live/astock.eu.org/fullchain.pem, 私钥为/etc/letsencrypt/live/astock.eu.org/privkey.pem

申请完毕后，我们首先配置Nginx.
server {
listen 443 ssl;
ssl_session_timeout 5m;
ssl_certificate /etc/nginx/cert/astock.eu.org.cert;
ssl_certificate_key /etc/nginx/cert/astock.eu.org.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;

server_name astock.eu.org;
root /var/www/html/astock;
error_log /var/log/nginx/astock_error.log;
access_log /var/log/nginx/astock_access.log;

location / {
index index.html index.htm index.php;
}
client_max_body_size 1024M;
location ~ .php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}

server {
listen 80;
server_name astock.eu.org;
rewrite ^/(.*) https://$server_name$request_uri? permanent;
}

保存好后重新载入Nginx配置文件：

service nginx reload