给Ubuntu14.04系统下的Nginx启用Let’s Encrypt的免费SSL证书

root@v:~#apt-get -y install git bc
root@v:~#git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
root@v:~#service nginx stop
root@v:~#cd /opt/letsencrypt
root@v:~#./letsencrypt-auto certonly --standalone

若执行./letsencrypt-auto certonly –standalone命令出错,有时因为网络问题或机器性能等问题,一个多试几次!

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
你的email地址

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:
A

——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:
Y

之后会提示输入域名,本例为www.service-labs.com,若有多个子域名,以空格隔开。
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):www.service-labs.com

如果所有的都成功了将会看到下面的信息:
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.service-labs.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.service-labs.com/fullchain.pem. Your cert will
expire on 2017-08-25. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
“letsencrypt-auto renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

root@v:/opt/letsencrypt#

在获取到证书后,你会得到下面几个PEM-编码的文件:

cert.pem: 你域名的证书。
chain.pem: Let’s Encrypt chain 证书。
fullchain.pem: cert.pem 和 chain.pem 联合。
privkey.pem: 你证书的私有 key。

留意刚才创建的几个文件的路径这很重要,因为等下在配置服务器的时候会用到。这些文件在/etc/letsencrypt/archive目下。然而 Let’s Encrypt在/etc/letsencrypt/live/www.service-labs.com目录下创建了相应证书的符号链接。因为这些链接总是指向最近的证书文件,所以你应该用这些路径来表示你的证书文件。

你可以用下面的命令查看已存在的证书文件(用你自己的域名替换下面的):

root@v:~#ls /etc/letsencrypt/live/www.service-labs.com

它的输出应该就是之前提到的那四个证书文件。你等下可能会使用fullchain.pem来配置你的服务器作为证书,privkey.pem文件作为证书的key文件。

配置服务器(Nginx)上的 TLS/SSL

现在你有了一个 SSL 证书,你需要配置服务器才能使用它。

现在你需要编辑包含你服务器块的Nginx文件。默认的位置在/etc/nginx/sites-available/default。

root@v:~#vi /etc/nginx/sites-available/default
找到server代码块,注释或删掉跟80端口相关的监听代码,如:

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

将其替换为:
listen 443 ssl;

增加如下代码
server_name www.service-labs.com;
ssl_certificate /etc/letsencrypt/live/www.service-labs.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.service-labs.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

这些代码能让你的服务器启用 SSL,并告诉它使用 Let’s Encrypt SSL 证书。

最后,在default文件最前面增加如下代码用来重定向所有的HTTP(80端口)到 HTTPS。

server {
listen 80;
server_name www.service-labs.com;
return 301 https://$host$request_uri;
}

##################以下是本例完整配置,你只需拷贝修改一下域名和相应的路径即可。#############
root@v:~# cat /etc/nginx/sites-available/default
server {
listen 80;
server_name www.service-labs.com;
return 301 https://$host$request_uri;
}
#start
server {
listen 443 ssl;

root /opt/websitedir;
index index.php index.html index.htm;
if (-f $request_filename/index.html){
rewrite (.*) $1/index.html break;
}
if (-f $request_filename/index.php){
rewrite (.*) $1/index.php;
}
if (!-f $request_filename){
rewrite (.*) /index.php;
}
# Make site accessible from http://localhost/
server_name www.service-labs.com;
ssl_certificate /etc/letsencrypt/live/www.service-labs.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.service-labs.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH’;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php$is_args$args;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}

# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_buffer_size 128k;
fastcgi_buffers 32 32k;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
#end
###########################################################################################

因为之前执行./letsencrypt-auto certonly –standalone命令前要停止nginx释放80端口,所以现在我们要使用下面的命令重启nginx:

root@v:~#service nginx restart

现在你可以打开浏览器输入https://www.service-labs.com测试HTTPS是否已在你的域名下启用了。正常情况下地址输入框前你会见到一个小绿锁,若是黄色的
点开会发现是:Verified by: Not specified
点开More Information,你会发现Technical Details段是黑体的字“Connection Partially Encrypted”,那是因为你的网站内容还有以http显示的内容,查找源码,发现首页的缩例图用的还是“http://”这样的链接,将其修改为https后刷新一下网页就会发现黄锁变回绿锁了,OK,可以了!
注:网页的http外链不会影响你的Connection Encrypted,所以无需修改为https。

因为Let’s Encrypt的凭证有效期为三个月,所以三个月后执行如下命令让它自动更新凭证:
root@v:~#/opt/letsencrypt/letsencrypt-auto renew

也可以通过certbot-auto命令让它自动更新凭证:
root@v:~#/opt/letsencrypt/certbot-auto renew --quiet --no-self-upgrade

三个月早忘了这事了,所以还是写个脚本放crontab让它自动更新吧:
root@v:~#chmod +x /opt/letsencrypt/certbot-auto
root@v:~#vi /opt/letsencrypt/sslrenew.sh
#!/bin/sh
/opt/letsencrypt/certbot-auto renew --quiet --no-self-upgrade
:wq!
root@v:~#chmod +x /opt/letsencrypt/sslrenew.sh

Certbot只有在证书到期前一个月才会进行更新,如果证书还没到期,它是不会进行更新的。所以设定让服务器每周日凌晨01:05分开始自动更新。
root@v:~#vi /etc/crontab
05 1 * * 0 /opt/letsencrypt/sslrenew.sh
:wq!

上一篇: