如何设置让我们在Ubuntu 20.04上使用Nginx加密SSL证书

让我们加密是一个广为人知的证书颁发机构,它为网站提供免费的SSL证书。 它于2016年4月启动。Let’s Encrypt使用客户端软件(certbot)自动执行证书的创建,验证,签名,实施和更新过程。

当前,自动化过程支持Apache,Nginx,Plex和Haproxy。

先决条件

在继续之前,请设置LEMP堆栈,以在Ubuntu系统上安装Nginx Web服务器。

:如何在Ubuntu 20.04上安装LEMP Stack。

安装Certbot

如前所述,我们需要安装Certbot ACME客户端以生成和安装证书。

在撰写本文时,Certbot客户端不会自动将Nginx配置为使用SSL证书。 我们需要手动安装SSL证书。

sudo apt update

sudo apt install -y software-properties-common

sudo add-apt-repository universe

sudo apt update

现在,安装certbot客户端。

sudo apt install -y certbot

创建Nginx虚拟主机

现在,我们将为域www.itzgeek.net创建一个Nginx虚拟主机配置文件。

该虚拟主机提供您域的HTTP版本。

sudo nano /etc/nginx/conf.d/www.itzgeek.net.conf

使用以下信息。

server {
   server_name www.itzgeek.net;
   root /sites/www.itzgeek.net;

   location / {
       index index.html index.htm index.php;
   }

   access_log /var/log/nginx/www.itzgeek.net.access.log;
   error_log /var/log/nginx/www.itzgeek.net.error.log;

}

将以下行添加到上述服务器块中,以便在Nginx中支持PHP。

   location ~ .php$ {
      include /etc/nginx/fastcgi_params;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   }

创建文档根目录以保存HTML文件。

sudo mkdir -p /sites/www.itzgeek.net

更改目录的所有权。

sudo chown -R www-data:www-data /sites/www.itzgeek.net/

将测试HTML文件放在您域的文档根目录中。

echo "This is a test site @ www.itzgeek.net" | sudo tee /sites/www.itzgeek.net/index.html

重新启动Nginx服务。

sudo systemctl restart nginx

更新/更改DNS记录

访问您的DNS管理工具或域注册商,然后为该域创建A / CNAME记录。 例如:www.itzgeek.net。


更新DNS记录

等待一段时间,让A记录传播。

使用Nslookup sudo apt install -y dnsutils实用程序检查DNS传播。

名称解析
名称解析

使用网络浏览器验证您的HTTP网站。

HTTP网站
HTTP网站

安装让我们加密SSL证书

使用certbot命令创建“让我们加密”证书。

sudo certbot certonly --webroot

按照交互式提示并生成所需的证书。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y  
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): www.itzgeek.net  
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.itzgeek.net
Input the webroot for www.itzgeek.net: (Enter 'c' to cancel): /sites/www.itzgeek.net/  
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem  
   Your key file has been saved at:
   /etc/letsencrypt/live/www.itzgeek.net/privkey.pem  
   Your cert will expire on 2020-08-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

编辑Nginx虚拟主机以添加SSL证书。

server {
   server_name www.itzgeek.net;
   root /sites/www.itzgeek.net;

   location / {
       index index.html index.htm index.php;
   }

   access_log /var/log/nginx/www.itzgeek.net.access.log;
   error_log /var/log/nginx/www.itzgeek.net.error.log;

   # Let's Encrypt SSL certificate
   listen 443 ssl;
   ssl_certificate /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/www.itzgeek.net/privkey.pem;
}

使用Nginx将HTTP重定向到HTTPS(可选)

现在,我们将配置Nginx服务器,以将来自HTTP站点的流量重定向到HTTPS站点。

在这里,我们将使用为站点的HTTP版本创建的相同配置文件来放置HTTPS重定向服务器块。

sudo nano /etc/nginx/conf.d/www.itzgeek.net.conf

在文件末尾添加以下信息。

# Redirect WWW HTTP to WWW HTTPS

# http://www.itzgeek.net >> https://www.itzgeek.net

server {
    if ($host = www.itzgeek.net) {
        return 301 https://$host$request_uri;
    }

    server_name www.itzgeek.net;
    listen 80;
    return 404;

}
# Redirect NON-WWW HTTP to WWW HTTPS

# http://itzgeek.net >> https://www.itzgeek.net

server {
    if ($host = itzgeek.net) {
        return 301 https://www.itzgeek.net$request_uri;
    }

   server_name itzgeek.net;
    listen 80;
    return 404;

}

重新启动Nginx服务。

sudo systemctl restart nginx

验证让我们加密SSL证书

通过访问网站的HTTPS版本来验证“让我们加密”证书。

http://您的http-网站

要么

https://您的https-网站

您现在应该获得站点的HTTPS版本。

让我们在Ubuntu 20.04上加密SSL证书
让我们在Ubuntu 20.04上加密SSL证书

测试我们加密SSL证书

通过转到以下URL,测试您的SSL证书是否存在任何问题及其安全等级。

https://www.ssllabs.com/ssltest/analyze.html?d=www.itzgeek.net

测试我们加密SSL证书
测试我们加密SSL证书

续订我们加密SSL证书

让我们加密证书的有效期为3个月,强烈建议您在证书过期之前对其进行更新。

Certbot客户端放置每天运行两次的计划程序(cron作业)来续订将要过期的证书。

您可以使用以下命令模拟证书更新过程,以确保更新顺利进行。

sudo certbot renew --dry-run

输出:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.itzgeek.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.itzgeek.net
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.itzgeek.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

The above output confirms that the renewal will work as expected.

结论

就这样。 我希望您了解了如何在Ubuntu 20.04上使用Nginx设置“让我们加密SSL证书”。 请在评论部分分享您的反馈。

Sidebar