如何设置让我们在Ubuntu 20.04上使用Nginx加密SSL证书
让我们加密是一个广为人知的证书颁发机构,它为网站提供免费的SSL证书。 它于2016年4月启动。Let’s Encrypt使用客户端软件(certbot)自动执行证书的创建,验证,签名,实施和更新过程。
当前,自动化过程支持Apache,Nginx,Plex和Haproxy。
先决条件
在继续之前,请设置LEMP堆栈,以在Ubuntu系统上安装Nginx Web服务器。
读:如何在Ubuntu 20.04上安装LEMP Stack。
安装Certbot
如前所述,我们需要安装Certbot ACME客户端以生成和安装证书。
在撰写本文时,Certbot客户端不会自动将Nginx配置为使用SSL证书。 我们需要手动安装SSL证书。
sudo apt update
sudo apt install -y software-properties-common
sudo add-apt-repository universe
sudo apt update
现在,安装certbot客户端。
sudo apt install -y certbot
创建Nginx虚拟主机
现在,我们将为域www.itzgeek.net创建一个Nginx虚拟主机配置文件。
该虚拟主机提供您域的HTTP版本。
sudo nano /etc/nginx/conf.d/www.itzgeek.net.conf
使用以下信息。
server {
server_name www.itzgeek.net;
root /sites/www.itzgeek.net;
location / {
index index.html index.htm index.php;
}
access_log /var/log/nginx/www.itzgeek.net.access.log;
error_log /var/log/nginx/www.itzgeek.net.error.log;
}
将以下行添加到上述服务器块中,以便在Nginx中支持PHP。
location ~ .php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
创建文档根目录以保存HTML文件。
sudo mkdir -p /sites/www.itzgeek.net
更改目录的所有权。
sudo chown -R www-data:www-data /sites/www.itzgeek.net/
将测试HTML文件放在您域的文档根目录中。
echo "This is a test site @ www.itzgeek.net" | sudo tee /sites/www.itzgeek.net/index.html
重新启动Nginx服务。
sudo systemctl restart nginx
更新/更改DNS记录
访问您的DNS管理工具或域注册商,然后为该域创建A / CNAME记录。 例如:www.itzgeek.net。
更新DNS记录
等待一段时间,让A记录传播。
使用Nslookup sudo apt install -y dnsutils实用程序检查DNS传播。
名称解析
使用网络浏览器验证您的HTTP网站。
HTTP网站
安装让我们加密SSL证书
使用certbot命令创建“让我们加密”证书。
sudo certbot certonly --webroot
按照交互式提示并生成所需的证书。
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): www.itzgeek.net Obtaining a new certificate Performing the following challenges: http-01 challenge for www.itzgeek.net Input the webroot for www.itzgeek.net: (Enter 'c' to cancel): /sites/www.itzgeek.net/ Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.itzgeek.net/privkey.pem Your cert will expire on 2020-08-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
编辑Nginx虚拟主机以添加SSL证书。
server {
server_name www.itzgeek.net;
root /sites/www.itzgeek.net;
location / {
index index.html index.htm index.php;
}
access_log /var/log/nginx/www.itzgeek.net.access.log;
error_log /var/log/nginx/www.itzgeek.net.error.log;
# Let's Encrypt SSL certificate
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.itzgeek.net/privkey.pem;
}
使用Nginx将HTTP重定向到HTTPS(可选)
现在,我们将配置Nginx服务器,以将来自HTTP站点的流量重定向到HTTPS站点。
在这里,我们将使用为站点的HTTP版本创建的相同配置文件来放置HTTPS重定向服务器块。
sudo nano /etc/nginx/conf.d/www.itzgeek.net.conf
在文件末尾添加以下信息。
# Redirect WWW HTTP to WWW HTTPS
# http://www.itzgeek.net >> https://www.itzgeek.net
server {
if ($host = www.itzgeek.net) {
return 301 https://$host$request_uri;
}
server_name www.itzgeek.net;
listen 80;
return 404;
}
# Redirect NON-WWW HTTP to WWW HTTPS
# http://itzgeek.net >> https://www.itzgeek.net
server {
if ($host = itzgeek.net) {
return 301 https://www.itzgeek.net$request_uri;
}
server_name itzgeek.net;
listen 80;
return 404;
}
重新启动Nginx服务。
sudo systemctl restart nginx
验证让我们加密SSL证书
通过访问网站的HTTPS版本来验证“让我们加密”证书。
http://您的http-网站
要么
https://您的https-网站
您现在应该获得站点的HTTPS版本。
让我们在Ubuntu 20.04上加密SSL证书
测试我们加密SSL证书
通过转到以下URL,测试您的SSL证书是否存在任何问题及其安全等级。
https://www.ssllabs.com/ssltest/analyze.html?d=www.itzgeek.net
测试我们加密SSL证书
续订我们加密SSL证书
让我们加密证书的有效期为3个月,强烈建议您在证书过期之前对其进行更新。
Certbot客户端放置每天运行两次的计划程序(cron作业)来续订将要过期的证书。
您可以使用以下命令模拟证书更新过程,以确保更新顺利进行。
sudo certbot renew --dry-run
输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.itzgeek.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for www.itzgeek.net Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. The above output confirms that the renewal will work as expected.
结论
就这样。 我希望您了解了如何在Ubuntu 20.04上使用Nginx设置“让我们加密SSL证书”。 请在评论部分分享您的反馈。