在Ubuntu 18.04上将Let's Encrypt与NGINX一起使用
时间:2020-01-09 10:44:03 来源:igfitidea点击:
说明
在本教程中,我们将学习如何使用带有NGINX的Let's Encrypt来请求免费证书并自动执行续订过程。
让我们加密提供了一个名为Certbot的工具,其目的是使证书管理更加轻松,并帮助实现流程自动化。 Certbot是在Let's Encrypt维护的PPA中找到的,我们需要安装它。
安装PPA
让我们加密维护一个Ubuntu PPA,它提供可简化证书管理的软件包。主要工具certbot旨在自动执行Apache和Nginx的配置,以及管理已请求的证书。
要将"让我们加密PPA"添加到Ubuntu,请运行以下命令。
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
要安装Certbot和Nginx插件,请运行以下命令。
sudo apt-get install certbot python-certbot-nginx
配置NGINX并请求证书
用于Certbot的NGINX插件将为我们注册新证书,然后更新NGINX配置。如果我们不使用默认启用的站点,则可以指定希望手动更新配置。
运行带有nginx标志的certbot命令。
sudo certbot --nginx
如果尚未为主机注册电子邮件地址,则会提示我们输入电子邮件地址。注册后,系统会要求我们输入要添加到证书中的域名或者域名列表。
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
主机名必须在DNS中注册并且可以解析。 DNS返回的IP地址还必须与服务器的本地IP地址匹配。 Certbot将在请求证书时对此进行验证。
Obtaining a new certificate Performing the following challenges: http-01 challenge for blog2.rigpig.ca Waiting for verification… Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
如果请求成功,将询问我们是否希望Certbot自动更新NGINX。如前所述,该配置适用于默认站点。任何自定义网站都需要手动配置。
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
现在已经安装了证书,并且,如果我们选择了自动NGINX配置,则服务器已准备好支持TLS。
Congratulations! You have successfully enabled https://blog2.rigpig.ca You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=blog2.rigpig.ca IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/blog2.rigpig.ca/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/blog2.rigpig.ca/privkey.pem Your cert will expire on 2019-08-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Certbot生成的配置将类似于以下示例。这是用于处理端口443上安全流量的基本服务器配置。由Let's Encrypt生成的证书的路径也将添加到配置中。
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name blog2.rigpig.ca;
# managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
#
include snippets/fastcgi-php.conf;
#
#
# With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blog2.rigpig.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog2.rigpig.ca/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
