Ubuntu Nginx 安装免费SSL证书

安装 nginx

更新 apt 源,安装 nginx 服务

sudo apt-get update
sudo apt-get install -y nginx

安装certbot

certbot 是维护 Let’s Encrypt 的 Package。
添加 package repository

sudo add-apt-repository ppa:certbot/certbot

然后更新 apt 源

sudo apt-get update

然后安装 Certbot 的 Nginx package

sudo apt-get install python-certbot-nginx -y

签发 ssl 证书

现在使用 Let’s Encrypt 签发 ssl 证书:

sudo certbot --nginx -d your-domain

注意这里的 your-domain 是你自己的域名,如果你第一次运行certbot的话,会让你输入邮箱,还要接受Let's Encrypt的协议,最后会让你选择是否重定向httphttps

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

选2,重定向即可。
最后可以看到生成的证书的位置

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hvnobug.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hvnobug.com/privkey.pem
   Your cert will expire on 2019-10-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

查看 nginx 配置文件/etc/nginx/sites-available/default

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/hvnobug.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/hvnobug.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

这是我们发现已经配置了 ssl 证书,监听 443 端口。我们在浏览器访问http会自动重定向到https

自动更新证书

因为 Let’s Encrypt 签发的SSL证书有效期只有 90 天,所有在过期之前,我们需要自动更新SSL证书,而如果你使用最新的certbot的话,Let’s Encrypt 会帮你添加自动更新的脚本到 /etc/cron.d 里,你只需要去检测一下这个命令是否生效就 OK !

sudo certbot renew --dry-run

文章作者: Emil
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Emil !
评论
 上一篇
Java反射之Type接口 Java反射之Type接口
1. Type接口简介Type 是 Java 编程语言中所有类型的公共高级接口。它们包括原始类型、参数化类型、数组类型、类型变量和基本类型。(从JDK1.5开始使用。)Type体系中类型的包括:原始类型(Type):不仅仅包含我们平常所指的
2019-06-03
下一篇 
ES6之Promise ES6之Promise
1. 什么是PromisePromise是异步编程的一种解决方案:从语法上讲,promise是一个对象,从它可以获取异步操作的消息;从本意上讲,它是承诺,承诺它过一段时间会给你一个结果。promise有三种状态:pending(等待态),f
2019-06-01
  目录