Nginx是一款轻量级的Web 服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器,并在一个BSD-like 协议下发行。其特点是占有内存少,并发能力强。
1.ubuntu安装nginx:
sudo apt-get update
sudo apt-get install nginx
Let’s Encrypt 是 一个叫 ISRG ( Internet Security Research Group ,互联网安全研究小组)的组织推出的免费安全证书计划。
Certbot是EFF的自动部署Let’s Encrypt证书的工具,使用简单。
2.ubuntu安装Certbot:
sudo apt-get install certbot python-certbot-nginx
3.部署证书:
sudo certbot certonly --webroot -w /var/www/html/ -d your.site.com
中间过程要同意协议以及填写邮箱,部署成功返回:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your.site.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your.site.com/privkey.pem
Your cert will expire on 2018-09-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
4.修改Nginx的虚拟主机配置文件,新建一个443端口的server配置:
配置文件:/etc/nginx/sites-available/default
新增内容:
server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/your.site.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.site.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your.site.com/chain.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html index.php;
server_name your.site.com;
}
5.重启nginx:
sudo service nginx reload
此时,访问https://your.site.com已经可以显示安全标记。
6.nginx 80端口重定向到443端口:
server {
listen 80;
server_name your.site.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
7.Let’s Encrypt 生成的免费证书为3个月时间,到期要更新证书:
sudo certbot renew --dry-run
成功更新返回:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/your.site.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for your.site.com
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/your.site.com/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/your.site.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
8.使用crontab -e的命令来启用自动更新证书任务:
sudo crontab -e
添加配置:
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
上面的执行时间为:每周一半夜2点30分执行renew任务。
网友评论