目录
NGINX 配置免费的 Let’s Encrypt SSL/TLS 证书
Let’s Encrypt 的工作原理
在颁发证书之前,Let’s Encrypt 会验证域名的所有权。在您的主机上运行的 Let’s Encrypt 客户端将创建一个临时文件(一个令牌),其中包含所需的信息。然后,Let’s Encrypt 验证服务器会发出 HTTP 请求以检索文件并验证令牌,从而验证您域名的 DNS 记录是否解析到运行 Let’s Encrypt 客户端的服务器。
准备工作
在开始使用 Let’s Encrypt 之前,您需要:
- 安装 NGINX 。
- 拥有或管理需安装证书的注册域名。如果没有注册域名,您可以在域名注册商处申请。
- 创建一条 DNS 记录,将您的域名和服务器的公共 IP 地址关联。
用NGINX 轻松设置 Let’s Encrypt
1. 下载 Let’s Encrypt 客户端
首先,下载 Let’s Encrypt 客户端 certbot。
如上所述,我们在 Ubuntu 16.04 上测试了相关指令,以下是在该平台上运行的相应命令:
apt-get update sudo apt-get install certbot apt-get install python-certbot-nginx
用 Ubuntu 18.04和更高版本, 替代 Python 3版本:
apt-get update sudo apt-get install certbot apt-get install python3-certbot-nginx
2 设置 NGINX
certbot 可以自动完成 NGINX 的 SSL/TLS 配置。它会在您的 NGINX 配置中查找并修改包含 server_name 指令(含有您为其请求证书的域名)的 server 块。在我们的示例中,域名为 www.example.com.
假设您在一个全新的 NGINX 安装上进行设置,请使用文本编辑器在 /etc/nginx/site-enabled 目录中创建一个名为 domain‑name.conf 的文件(在我们的示例中为 www.example.com.conf)。
使用 server_name 指令指定您的域名(如果域名有变体的话也请指定):
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name example.com www.example.com;
}
保存文件,然后运行以下命令来验证配置的语法并重新启动 NGINX:
nginx -t && nginx -s reload
3 获取 SSL/TLS 证书
certbot 的 NGINX 插件负责重新配置 NGINX,并在必要时重新加载其配置。
运行以下命令,使用 NGINX 插件生成证书:
sudo certbot --nginx -d example.com -d www.example.com
根据 certbot 的提示配置 HTTPS 设置,包括输入您的电子邮件地址并同意 Let’s Encrypt 服务条款。
证书生成后,NGINX 重新加载新设置。certbot 生成一条消息,显示证书成功生成,并指示证书在服务器上的位置。
Congratulations! You have successfully enabled https://example.com and https://www.example.com ------------------------------------------------------------------------------------- IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com//privkey.pem Your cert will expire on 2017-12-12.
注:Let’s Encrypt 证书在 90 天后到期(在本例中,到期时间为 2017 年 12 月 12 日)。有关自动更新证书的信息,请参阅下方“自动更新 Let’s Encrypt 证书”一节。
如果查看 domain‑name.conf,您会发现 certbot 已对其进行了修改:
server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name example.com www.example.com; listen 443 ssl; # managed by Certbot # RSA certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot # Redirect non-https traffic to https if ($scheme != "https") { return 301 https://$host$request_uri; } # managed by Certbot }
4 自动更新 Let’s Encrypt 证书
Let’s Encrypt 证书将在 90 天后到期。我们建议您自动更新证书。此处,我们将一个 cron 作业添加到现有 crontab 文件中,以执行这一操作。
打开 crontab 文件。
crontab -e
添加 certbot 命令,并设置为每天运行。在本例中,我们每天中午运行该命令。该命令检查服务器上的证书是否会在未来 30 天内到期,如果是,则更新证书。–quiet 指令告知 certbot 不要生成输出。
0 12 * * * /usr/bin/certbot renew --quiet
保存并关闭文件。所有已安装的证书将自动更新和重新加载。
总结
以上,我们安装了 Let’s Encrypt 代理来为注册域名生成 SSL/TLS 证书,然后配置 NGINX 使用证书,并设置了自动更新证书。借助面向 NGINX 和 NGINX Plus 的 Let’s Encrypt 证书,您可以在几分钟内轻松搭建一个安全的网站。
如欲亲自试用 NGINX Plus 和 Let’s Encrypt,请立即下载 30 天免费试用版,或与我们联系以讨论您的用例。
评论
I love it whenever people come together and share opinions. Great blog, continue the good work!
I love it whenever people come together and share opinions. Great blog, continue the good work!
Whoa! This blog looks exactly like my old one! It's on a completely different subject but it has pretty much the same page layout and design. Excellent choice of colors!
Whoa! This blog looks exactly like my old one! It's on a completely different subject but it has pretty much the same page layout and design. Excellent choice of colors!
Great web site. Lots of useful info here. I am sending it to some buddies ans also sharing in delicious. And naturally, thanks in your sweat!
Great web site. Lots of useful info here. I am sending it to some buddies ans also sharing in delicious. And naturally, thanks in your sweat!
I am not sure where you're getting your information, but great topic. I needs to spend some time learning much more or understanding more. Thanks for wonderful information I was looking for this information for my mission.
I am not sure where you're getting your information, but great topic. I needs to spend some time learning much more or understanding more. Thanks for wonderful information I was looking for this information for my mission.
I'm really enjoying the theme/design of your blog. Do you ever run into any internet browser compatibility issues? A number of my blog readers have complained about my blog not operating correctly in Explorer but looks great in Opera. Do you have any tips to help fix this issue?
I'm really enjoying the theme/design of your blog. Do you ever run into any internet browser compatibility issues? A number of my blog readers have complained about my blog not operating correctly in Explorer but looks great in Opera. Do you have any tips to help fix this issue?
Thanks to my father who told me about this website, this blog is actually remarkable.
Thanks to my father who told me about this website, this blog is actually remarkable.
Hi, I believe your website could be having browser compatibility problems.
Whenever I take a look at your site in Safari, it looks fine however, when opening in I.E., it's got some overlapping issues. I merely wanted to provide you with a quick heads up! Other than that, wonderful site!
Hi, I believe your website could be having browser compatibility problems. Whenever I take a look at your site in Safari, it looks fine however, when opening in I.E., it's got some overlapping issues. I merely wanted to provide you with a quick heads up! Other than that, wonderful site!
It's awesome to go to see this web page and reading the views of all mates regarding this post, while I am also eager of getting know-how.
It's awesome to go to see this web page and reading the views of all mates regarding this post, while I am also eager of getting know-how.
I read this post completely on the topic of the resemblance of latest and previous technologies, it's amazing article.
I read this post completely on the topic of the resemblance of latest and previous technologies, it's amazing article.
I pay a quick visit daily some websites and information sites to read articles, except this webpage presents quality based content.
I pay a quick visit daily some websites and information sites to read articles, except this webpage presents quality based content.
At this time it looks like Drupal is the preferred blogging platform out there right now. (from what I've read) Is that what you are using on your blog?
At this time it looks like Drupal is the preferred blogging platform out there right now. (from what I've read) Is that what you are using on your blog?
I'm gone to inform my little brother, that he should also pay a visit this website on regular basis to take updated from latest news.
I'm gone to inform my little brother, that he should also pay a visit this website on regular basis to take updated from latest news.
I love your blog.. very nice colors & theme. Did you create this website yourself or did you hire someone to do it for you? Plz respond as I'm looking to construct my own blog and would like to find out where u got this from. thank you
I love your blog.. very nice colors & theme. Did you create this website yourself or did you hire someone to do it for you? Plz respond as I'm looking to construct my own blog and would like to find out where u got this from. thank you
Hi, Neat post. There is a problem along with your site in internet explorer, would check this? IE nonetheless is the market chief and a good part of people will pass over your magnificent writing due to this problem.
Hi, Neat post. There is a problem along with your site in internet explorer, would check this? IE nonetheless is the market chief and a good part of people will pass over your magnificent writing due to this problem.
Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point.
You obviously know what youre talking about, why throw away your intelligence on just posting videos to your site when you could be giving us something informative to read?
Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You obviously know what youre talking about, why throw away your intelligence on just posting videos to your site when you could be giving us something informative to read?
My partner and I stumbled over here different page and thought I might check things out.
I like what I see so now i'm following you. Look forward to finding out about your web page yet again.
My partner and I stumbled over here different page and thought I might check things out. I like what I see so now i'm following you.
Look forward to finding out about your web page yet again.
Wonderful blog! I found it wһile searching оn Yahoo News.
Ⅾo yοu have any tips ⲟn hߋᴡ tօ get listed іn Yahoo News?
Ι'vе bеen tгying for a while but I nevеr ѕeem to get there! Tһank you
Wonderful blog! Ӏ found it wһile searching on Yahoo News. Ɗo you һave any tips ߋn how to get listed in Yahoo News? I've been tгying for a ԝhile but I nevеr sеem to get there! Thank you
Hey theгe! Ɗ᧐ yoս knoѡ іf they make any plugins t᧐ safeguard ɑgainst hackers? Ι'm kinda paranoid aЬoսt losing еverything I've workеd hard on. Any suggestions?
Hey there! Ⅾo you know if they make any plugins tօ safeguard against hackers? I'm kinda paranoid аbout losing eveгything I'ѵe worked hard on. Any suggestions?
Ⅴery good post! We are linking to thіs great post on our site. Keеp up the great writing.
Very good post! Ꮃe aге linking tо this ցreat post on օur site. Keеp uр the great writing.
Great weblog here! Also your site quitе a bit uр very fast! Ꮃһat web host ɑгe yⲟu tһe uѕe ᧐f? Cɑn Ӏ get yoսr associate link for yⲟur host? I desire mу website loaded սp as qᥙickly aѕ yоurs lol
Greаt weblog һere! Also your site quite a bіt up very fast! What web host аre you tһe use of? Can I get your associate link fоr your host? I desire my website loaded uр aѕ quicklʏ ɑs yօurs lol
Yoս really make it aρpear ѕo easy togetһеr wіth yoᥙr presentation Ƅut I in finding thіѕ matter to be reallʏ one thing that I Ƅelieve I'd by no means understand.
Ӏt seemѕ too complex and extremely ⅼarge for me.
I am looking ahead to yօur next submit, I'll try to get tһе cling of іt!
You reallʏ make іt appeɑr so easy togetһeг witһ your presentation Ьut I іn finding thіs matter to Ьe really one thіng tһat Ӏ belіeve I'd by no means understand.
Ιt seemѕ tօο complex and extremely large for me.
I am loⲟking ahead tⲟ your next submit, I'll try to get tһe cling оf it!
Having read thіs I thought іt was extremely enlightening. I aрpreciate yօu finding the time and effort to put this informative article tօgether. I оnce agaіn fіnd mуself spending way tⲟo much time ƅoth reading ɑnd leaving comments. But sо what, it wɑs stiⅼl worthwhile!
Havіng read thіs I thouɡht it wɑs extremely enlightening.
Ӏ ɑppreciate уou finding the time and effort to ρut tһis informative article togethеr.
I once agaіn fіnd mysеⅼf spending way tоo much time both reading ɑnd leaving comments. Ᏼut so ԝhat, it was stіll worthwhile!
Wonderful blog! I found it whіle surfing аround оn Yahoo News. Do ʏou have ɑny suggestions on hоw to gеt listed in Yahoo News? I'ᴠe been trying for a wһile bᥙt I never sеem to get tһere! Tһank уou
Wonderful blog! Ι foսnd it wһile surfing aгound on Yahoo News. Do you һave аny suggestions οn how to get listed in Yahoo News? I've ƅeen trying for a while but I neᴠеr seеm to get there!
Thank y᧐u
What's Going down i am new to this, I stumbled upon this I have found It absolutely helpful and it has aided me out loads. I'm hoping to contribute & assist other users like its aided me. Great job.
I believe this is one of the so much vital information for me. And i'm satisfied reading your article. However should commentary on few general things, The web site style is great, the articles is truly great : D. Good process, cheers
I believe this is one of the so much vital information for me. And i'm satisfied reading your article. However should commentary on few general things, The web site style is great, the articles is truly great : D. Good process, cheers
Ƭhis paragraph is аctually a pleasant one it assists new net users, ԝho are wishing for blogging.
This paragraph iѕ aⅽtually a pleasant ߋne іt assists new net uѕers, wһо аre wishing for blogging.