给Ubuntu14.04系统下的Nginx启用Let’s Encrypt的免费SSL证书

[email protected]:~#apt-get -y install git bc
[email protected]:~#git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
[email protected]:~#service nginx stop
[email protected]:~#cd /opt/letsencrypt
[email protected]:~#./letsencrypt-auto certonly --standalone

若执行./letsencrypt-auto certonly –standalone命令出错,有时因为网络问题或机器性能等问题,一个多试几次!

之后会提示输入域名,本例为www.service-labs.com,若有多个子域名,以空格隔开。
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):www.service-labs.com

如果所有的都成功了将会看到下面的信息:
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.service-labs.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.service-labs.com/fullchain.pem. Your cert will
expire on 2017-08-25. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[email protected]:/opt/letsencrypt#

在获取到证书后,你会得到下面几个PEM-编码的文件:

cert.pem: 你域名的证书。
chain.pem: Let’s Encrypt chain 证书。
fullchain.pem: cert.pem 和 chain.pem 联合。
privkey.pem: 你证书的私有 key。

留意刚才创建的几个文件的路径这很重要,因为等下在配置服务器的时候会用到。这些文件在/etc/letsencrypt/archive目下。然而 Let’s Encrypt在/etc/letsencrypt/live/www.service-labs.com目录下创建了相应证书的符号链接。因为这些链接总是指向最近的证书文件,所以你应该用这些路径来表示你的证书文件。

你可以用下面的命令查看已存在的证书文件(用你自己的域名替换下面的):

[email protected]:~#ls /etc/letsencrypt/live/www.service-labs.com

它的输出应该就是之前提到的那四个证书文件。你等下可能会使用fullchain.pem来配置你的服务器作为证书,privkey.pem文件作为证书的key文件。

配置服务器(Nginx)上的 TLS/SSL

现在你有了一个 SSL 证书,你需要配置服务器才能使用它。

现在你需要编辑包含你服务器块的Nginx文件。默认的位置在/etc/nginx/sites-available/default。

[email protected]:~#vi /etc/nginx/sites-available/default
找到server代码块,注释或删掉跟80端口相关的监听代码,如:

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

将其替换为:
listen 443 ssl;

增加如下代码
server_name www.service-labs.com;
ssl_certificate /etc/letsencrypt/live/www.service-labs.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.service-labs.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

这些代码能让你的服务器启用 SSL,并告诉它使用 Let’s Encrypt SSL 证书。

最后,在default文件最前面增加如下代码用来重定向所有的HTTP(80端口)到 HTTPS。

server {
listen 80;
server_name www.service-labs.com;
return 301 https://$host$request_uri;
}

##################以下是本例完整配置,你只需拷贝修改一下域名和相应的路径即可。#############
[email protected]:~# cat /etc/nginx/sites-available/default
server {
listen 80;
server_name www.service-labs.com;
return 301 https://$host$request_uri;
}
#start
server {
listen 443 ssl;

root /opt/websitedir;
index index.php index.html index.htm;
if (-f $request_filename/index.html){
rewrite (.*) $1/index.html break;
}
if (-f $request_filename/index.php){
rewrite (.*) $1/index.php;
}
if (!-f $request_filename){
rewrite (.*) /index.php;
}
# Make site accessible from http://localhost/
server_name www.service-labs.com;
ssl_certificate /etc/letsencrypt/live/www.service-labs.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.service-labs.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php$is_args$args;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}

# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_buffer_size 128k;
fastcgi_buffers 32 32k;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
#end

###########################################################################################

因为之前执行./letsencrypt-auto certonly –standalone命令前要停止nginx释放80端口,所以现在我们要使用下面的命令重启nginx:

[email protected]:~#service nginx restart

现在你可以打开浏览器输入https://www.service-labs.com测试HTTPS是否已在你的域名下启用了。正常情况下地址输入框前你会见到一个小绿锁,若是黄色的
点开会发现是:Verified by: Not specified
点开More Information,你会发现Technical Details段是黑体的字“Connection Partially Encrypted”,那是因为你的网站内容还有以http显示的内容,查找源码,发现首页的缩例图用的还是“http://”这样的链接,将其修改为https后刷新一下网页就会发现黄锁变回绿锁了,OK,可以了!
注:网页的http外链不会影响你的Connection Encrypted,所以无需修改为https。

因为Let’s Encrypt的凭证有效期为三个月,所以三个月后执行如下命令让它自动更新凭证:
[email protected]:~#/opt/letsencrypt/letsencrypt-auto renew

也可以通过certbot-auto命令让它自动更新凭证:
[email protected]:~#/opt/letsencrypt/certbot-auto renew --quiet --no-self-upgrade

三个月早忘了这事了,所以还是写个脚本放crontab让它自动更新吧:
[email protected]:~#chmod +x /opt/letsencrypt/certbot-auto
[email protected]:~#vi /opt/letsencrypt/sslrenew.sh
#!/bin/sh
/opt/letsencrypt/certbot-auto renew --quiet --no-self-upgrade
:wq!
[email protected]:~#chmod +x /opt/letsencrypt/sslrenew.sh

Certbot只有在证书到期前一个月才会进行更新,如果证书还没到期,它是不会进行更新的。所以设定让服务器每周日凌晨01:05分开始自动更新。
[email protected]:~#vi /etc/crontab
05 1 * * 0 /opt/letsencrypt/sslrenew.sh
:wq!

上一篇: