在Debian/Ubuntu Linux上如何使用Lets Encrypt配置Nginx
时间:2019-11-20 08:53:45 来源:igfitidea点击:
Nginx如何配置https站点?
在Ubuntu Linux 14.04/16.04 LTS或Debian Linux 8.x/9.x服务器上,如何使用Lets Encrypt免费的ssl证书保护Nginx Web服务器?
Nginx网站如何将http配置成https?
如何为Nginx安装SSL证书?
如何在Nginx服务器上安装Lets Encrypt SSL证书?
配置说明
- 默认的Nginx配置文件:
/etc/nginx/sites-available/default - Nginx SSL认证目录:
/etc/nginx/ssl/theitroad.test/ - Nginx DocumentRoot(根)路径:
/var/www/html / - Nginx TLS/SSL端口:
443 - 域名:
theitroad.test - 公网IP:
171.7.19.22
安装acme.sh
首先,使用apt-get命令或apt命令安装git和bc软件包:
$ sudo apt-get install git bc wget curl socat
克隆acme.sh客户端
$ cd /tmp/ $ git clone https://github.com/Neilpang/acme.sh.git
将acme.sh客户端安装到您的系统:
$ cd acme.sh/ $ sudo -i # ./acme.sh --install
将下面的行添加到~/.bashrc文件中:
. "$HOME/.acme.sh/acme.sh.env"
重新登录或者执行下面的命令使别名生效。
$ sudo source ~/.bashrc
测试一下:
$ sudo -i # acme.sh
创建/.well-known/acme-challenge/目录
# mkdir -vp /var/www/html/.well-known/acme-challenge/ # chown -R www-data:www-data /var/www/html/.well-known/acme-challenge/ # chmod -R 0555 /var/www/html/.well-known/acme-challenge/
创建保存SSL证书的目录
# mkdir -p /etc/nginx/ssl/theitroad.test/
生成dhparams.pem文件
执行以下命令以创建dhparam.pem文件:
# cd /etc/nginx/ssl/theitroad.test/
建议生成4096位的:
# openssl dhparam -out dhparams.pem 4096
或使用以下命令快速生成dhparams:
# openssl dhparam -out dhparams.pem -dsaparam 4096
为theitroad.test域名颁发证书
语法如下
acme.sh --issue -w /DocumentRootPath/ -d example.com acme.sh --issue -w /DocumentRootPath/ -d www.bar.com -d bar.com acme.sh --issue -w /path/to/www/htmlRoot/ -d example.com -k 2048
其中
--issue:颁发新证书。-w/DocumentRootPath/:指定Web根文件夹。-d example.com:指定一个域,用于发布,续订或撤销证书等。可以多次使用。-k 2048:指定域密钥的长度。默认长度2048。
为theitroad.test和www.theitroad.test颁发证书:
# acme.sh --issue -w /var/www/html -d theitroad.test -d www.theitroad.test
或者 将key-length设置为4096:
# acme.sh --issue -w /var/www/html -d theitroad.test -d www.theitroad.test -k 4096
在Nginx Web服务器上配置TLS/SSL
编辑配置文件nginx.conf或者/etc/nginx/sites-available/default:
# vi /etc/nginx/sites-available/default
配置参考:
server {
listen 171.7.19.22:443 http2;
server_name theitroad.test;
ssl on;
ssl_certificate /etc/nginx/ssl/theitroad.test/theitroad.test.cer;
ssl_certificate_key /etc/nginx/ssl/theitroad.test/theitroad.test.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/theitroad.test/dhparams.pem;
ssl_prefer_server_ciphers on;
## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;
## Enables OCSP stapling
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;
## Send header to tell the browser to prefer https to http traffic
add_header Strict-Transport-Security max-age=31536000;
## SSL logs ##
access_log /var/log/nginx/theitroad.test/ssl_access.log;
error_log /var/log/nginx/theitroad.test/ssl_error.log;
#-------- END SSL config -------##
### 其他配置
}
将颁发的证书安装到Nginx Web服务器
执行以下命令:
# acme.sh --installcert -d theitroad.test --keypath /etc/nginx/ssl/theitroad.test/theitroad.test.key --fullchainpath /etc/nginx/ssl/theitroad.test/theitroad.test.cer --reloadcmd 'systemctl reload nginx'
或者
# acme.sh --install-cert -d theitroad.test \ --key-file /etc/nginx/ssl/theitroad.test/theitroad.test.key \ --fullchain-file /etc/nginx/ssl/theitroad.test/theitroad.test.cer \ --reloadcmd 'systemctl reload nginx'
其中
--install-cert:将发布的证书安装到nginx服务器-d theitroad.test:指定一个域,用于发布,续订或撤销证书等--key-file/etc/nginx/ssl/theitroad.test/theitroad.test.key:发行/续订后,密钥将被复制到该路径--fullchain-file/etc/nginx/ssl/theitroad.test/theitroad.test.cer:发行/续订后,全链证书将被复制到此路径。--reloadcmd'systemctl reload nginx':发布/续订后,用于重新加载服务器
设置UFW防火墙
执行以下ufw命令打开TCP端口443:
# ufw allow proto tcp from any to 171.7.19.22 port 443
测试一下
浏览器输入以下网址:
https://theitroad.test
如何升级acme.sh客户端?
# acme.sh --upgrade
如何续订证书?
执行以下命令:
# acme.sh --renew -d theitroad.test
设置计划任务自动续订证书
在crontab中添加计划任务:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
