<div dir="ltr">Спасибо за ответы. Другие сертификаты использовать не можем. Есть только один. Такое условие. <div>Здесь дали рекомендацию, но не срабатывает <a href="https://forum.nginx.org/read.php?2,270269,270271#msg-270271">https://forum.nginx.org/read.php?2,270269,270271#msg-270271</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-10-14 15:29 GMT+03:00 Gena Makhomed <span dir="ltr"><<a href="mailto:gmm@csdoc.com" target="_blank">gmm@csdoc.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 14.10.2016 13:16, avk wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Сабдомейны использовать не можем,<br>
потому что нет вильдкард сертификата. Может быть есть идеи?<br>
</blockquote>
<br>
<a href="https://letsencrypt.org/" rel="noreferrer" target="_blank">https://letsencrypt.org/</a> - бесплатные SSL сертификаты.<br>
<br>
конфиг nginx:<br>
<br>
location /.well-known/acme-challenge {<br>
default_type text/plain;<br>
root /opt/letsencrypt;<br>
}<br>
<br>
получение сертификата:<br>
<br>
#!/bin/bash<br>
<br>
OPT="-a webroot --webroot-path=/opt/letsencryp<wbr>t --agree-dev-preview"<br>
/opt/letsencrypt/letsencrypt-a<wbr>uto $OPT certonly -d <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> -d <a href="http://www.example.com" rel="noreferrer" target="_blank">www.example.com</a><br>
<br>
обновление сертификата: (запускать через крон)<br>
<br>
#!/bin/sh<br>
<br>
if ! /opt/letsencrypt/letsencrypt-a<wbr>uto renew -nvv --webroot --webroot-path=/opt/letsencryp<wbr>t > /var/log/letsencrypt/renew.log 2>&1 ; then<br>
echo Automated renewal failed:<br>
cat /var/log/letsencrypt/renew.log<br>
fi<br>
<br>
systemctl reload nginx<br>
<br>
exit<br>
<br>
использование:<br>
<br>
listen <a href="http://11.22.33.44:443" rel="noreferrer" target="_blank">11.22.33.44:443</a> ssl http2;<br>
<br>
server_name <a href="http://www.example.com" rel="noreferrer" target="_blank">www.example.com</a> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>;<br>
<br>
ssl_certificate /etc/letsencrypt/live/<a href="http://example.com/fullchain.pem" rel="noreferrer" target="_blank">example<wbr>.com/fullchain.pem</a>;<br>
ssl_certificate_key /etc/letsencrypt/live/<a href="http://example.com/privkey.pem" rel="noreferrer" target="_blank">example.<wbr>com/privkey.pem</a>;<br>
<br>
# <a href="https://gist.github.com/plentz/6737338" rel="noreferrer" target="_blank">https://gist.github.com/plentz<wbr>/6737338</a><br>
# <a href="http://tautt.com/best-nginx-configuration-for-security/" rel="noreferrer" target="_blank">http://tautt.com/best-nginx-co<wbr>nfiguration-for-security/</a><br>
add_header Strict-Transport-Security "max-age=31536000" always;<br>
add_header X-XSS-Protection "1; mode=block";<br>
add_header X-Content-Type-Options nosniff;<br>
add_header X-Frame-Options DENY;<br>
<br>
проверка:<br>
<br>
<a href="https://www.ssllabs.com/ssltest/" rel="noreferrer" target="_blank">https://www.ssllabs.com/ssltes<wbr>t/</a><span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Best regards,<br>
Gena<br>
<br>
______________________________<wbr>_________________<br>
nginx-ru mailing list<br>
<a href="mailto:nginx-ru@nginx.org" target="_blank">nginx-ru@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-ru" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailm<wbr>an/listinfo/nginx-ru</a></font></span></blockquote></div><br></div>