第4步:设置nginx使用证书
获取免费证书后,必须配置Nginx以使用它们。
打开nginx默认站点配置文件。
sudo nano /etc/nginx/sites-available/default
修改配置如下:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
#listen 80 default_server;
#listen [::]:80 default_server;
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#
#
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name example.com www.example.com;
location/{
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/=404;
}
location ~ /.well-known {
allow all;
}
. . ..
. . ..
检查nginx设置:
sudo nginx -t
重启nginx,现在nginx可以使用HTTPS了。
要设置自动续订证书的进程,请添加Cron作业以执行续订进程。
sudo crontab -e
然后添加下面的行并保存。
0 1 * * * /usr/bin/certbot renew & > /dev/null
Cron工作将尝试在证书到期前30天更新。
第3步:获取Letsencrypt证书
要获取LetSencrypt SSL/TLS证书,
打开nginx配置文件并添加域名指令。
sudo nano /etc/nginx/sites-available/default
检查是否包含此行
server_name example.com www.example.com;
我们可能还想在文件中添加下面内容。
location ~ /.well-known {
allow all;
}
获取免费证书:
sudo certbot certonly -m admin@example.com -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com
www.exmaple.com和example.com对应nginx中的设置
输入A同意接受条款。
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2014.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------ (A)gree/(C)ancel: A
是否分享电子邮件,选择Yes或者No都行。
你愿意与电子前沿基金会分享你的电子邮件地址吗? 我们希望向您发送电子邮件,介绍EFF以及我们在加密网络、 保护用户和捍卫数字权利方面的工作。 Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend doirtal rights. ------------------------------------------------------------------------------ (Y)es/(N)o: Y
LetSencrypt将在计算机上安装有效的SSL/TLS证书。
过程完成后,我们应该看到一条类似下面的消息。
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2015-02-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG/Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
第2步:安装Letencrypt SSL/TLS管理包
获取LetSencrypt包。该包可用于获得域的证书。
sudo apt-get install certbot
第1步:获得Ubuntu/nginx
安装nginx
sudo apt-get install nginx
安装nginx后,下面的命令可用于停止,启动和启用Nginx服务(启用服务:在服务器开机引导时自动启动服务)
sudo systemctl stop nginx.service sudo systemctl start nginx.service sudo systemctl enable nginx.service
日期:2020-07-07 20:57:18 来源:oir作者:oir