Ubuntu+Nginx+Let’s Encrypt 免费的SSL/TLS证书配置流程
Let’s Encrypt 介绍
为了在你的网站上启用 https,你需要从证书颁发机构(CA)获取 SSL/TLS 证书。
Let’s Encrypt 是一个证书颁发机构(CA)。Let’s Encrypt 由互联网安全研究小组(全称:Internet Security Research Group)(缩写ISRG)提供服务。主要赞助商包括电子前哨基金会、Mozilla 基金会、Akamai 以及思科。2015年4月9日,ISRG 与 Linux 基金会宣布合作。
现如今,获取 Let’s Encrypt 证书的过程十分简单、自动化并且完全免费。
安装配置开始(无需关闭 nginx 服务)
1. 安装snap
如果没有权限, 命令前面加上sudo
apt-get update
apt install snapd
snap install core; snap refresh core
2. 通过snap安装certbot
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
3. 手动设置获取证书的域名
certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com
成功后会展示如下信息:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
4. 让certbot模拟更新证书, 同时获取证书后自动重新加载nginx
certbot renew --dry-run
certbot renew --renew-hook 'service nginx reload'
5. 检查timers列表, 确认运行
systemctl list-timers
展示如下信息:
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2022-05-16 16:09:00 CST 21min left Mon 2022-05-16 15:39:02 CST 8min ago phpsessionclean.timer phpsessionclean.service
Mon 2022-05-16 18:40:04 CST 2h 52min left Mon 2022-05-16 00:44:11 CST 15h ago motd-news.timer motd-news.service
Mon 2022-05-16 18:49:00 CST 3h 1min left Mon 2022-05-16 01:18:01 CST 14h ago snap.certbot.renew.timer snap.certbot.renew.service
Mon 2022-05-16 19:59:20 CST 4h 11min left Mon 2022-05-16 10:09:08 CST 5h 38min ago apt-daily.timer apt-daily.service
Tue 2022-05-17 00:00:00 CST 8h left Mon 2022-05-16 00:00:00 CST 15h ago logrotate.timer logrotate.service
Tue 2022-05-17 00:00:00 CST 8h left Mon 2022-05-16 00:00:00 CST 15h ago man-db.timer man-db.service
Tue 2022-05-17 06:16:34 CST 14h left Mon 2022-05-16 06:53:05 CST 8h ago apt-daily-upgrade.timer apt-daily-upgrade.service
Tue 2022-05-17 13:38:50 CST 21h left Mon 2022-05-16 13:38:50 CST 2h 8min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2022-05-23 00:00:00 CST 6 days left Mon 2022-05-16 00:00:00 CST 15h ago fstrim.timer fstrim.service
6. 配置nginx文件
server {
listen 80;
server_name example.com www.example.com;
rewrite ^(.*) https://example.com/$1 permanent;
}
server {
listen 443 ssl http2;
server_name example.com;
root /var/www/example;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
index index.html index.php index.htm;
}
7. 测试配置, 重新加载 nginx, 完成
测试配置
nginx -t
展示如下信息:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
确认配置文件无问题后, 重新加载 nginx
nginx -s reload
现在,可以通过 https 来访问你的网站,如果用原有的 http 访问,也会自动跳转到 https。