Ubuntu+Nginx+Let’s Encrypt 免费的SSL/TLS证书配置流程

懒得分类 799 阅读

Let’s Encrypt 介绍

为了在你的网站上启用 https,你需要从证书颁发机构(CA)获取 SSL/TLS 证书。

Let’s Encrypt 是一个证书颁发机构(CA)。Let’s Encrypt 由互联网安全研究小组(全称:Internet Security Research Group)(缩写ISRG)提供服务。主要赞助商包括电子前哨基金会、Mozilla 基金会、Akamai 以及思科。2015年4月9日,ISRG 与 Linux 基金会宣布合作。

现如今,获取 Let’s Encrypt 证书的过程十分简单、自动化并且完全免费。

安装配置开始(无需关闭 nginx 服务)

1. 安装snap

如果没有权限, 命令前面加上sudo
apt-get update
apt install snapd
snap install core; snap refresh core

2. 通过snap安装certbot

snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

3. 手动设置获取证书的域名

certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com
成功后会展示如下信息:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem

4. 让certbot自动更新证书, 同时获取证书后自动重新加载nginx

certbot renew --dry-run
certbot renew --renew-hook 'service nginx reload'

5. 检查crontab列表, 确认按计划运行

systemctl list-timers
展示如下信息:
NEXT                        LEFT          LAST                        PASSED        UNIT                         ACTIVATES                     
Mon 2022-05-16 16:09:00 CST 21min left    Mon 2022-05-16 15:39:02 CST 8min ago      phpsessionclean.timer        phpsessionclean.service       
Mon 2022-05-16 18:40:04 CST 2h 52min left Mon 2022-05-16 00:44:11 CST 15h ago       motd-news.timer              motd-news.service             
Mon 2022-05-16 18:49:00 CST 3h 1min left  Mon 2022-05-16 01:18:01 CST 14h ago       snap.certbot.renew.timer     snap.certbot.renew.service    
Mon 2022-05-16 19:59:20 CST 4h 11min left Mon 2022-05-16 10:09:08 CST 5h 38min ago  apt-daily.timer              apt-daily.service             
Tue 2022-05-17 00:00:00 CST 8h left       Mon 2022-05-16 00:00:00 CST 15h ago       logrotate.timer              logrotate.service             
Tue 2022-05-17 00:00:00 CST 8h left       Mon 2022-05-16 00:00:00 CST 15h ago       man-db.timer                 man-db.service                
Tue 2022-05-17 06:16:34 CST 14h left      Mon 2022-05-16 06:53:05 CST 8h ago        apt-daily-upgrade.timer      apt-daily-upgrade.service     
Tue 2022-05-17 13:38:50 CST 21h left      Mon 2022-05-16 13:38:50 CST 2h 8min ago   systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service          
Mon 2022-05-23 00:00:00 CST 6 days left   Mon 2022-05-16 00:00:00 CST 15h ago       fstrim.timer                 fstrim.service

6. 配置nginx文件

server {
	listen 80;
	server_name example.com www.example.com;
	rewrite ^(.*) https://example.com/$1 permanent;
}

server {
	listen 443 ssl http2;
	server_name example.com;
	root /var/www/example;
	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 60m;
	index index.html index.php index.htm;
}

7. 测试配置, 重新加载 nginx, 完成

测试配置
nginx -t
展示如下信息:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
确认配置文件无问题后, 重新加载 nginx
nginx -s reload

现在,可以通过 https 来访问你的网站,如果用原有的 http 访问,也会自动跳转到 https。

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注