安装 nginx

更新 apt 源,安装 nginx 服务

1
2
sudo apt-get update
sudo apt-get install -y nginx

安装certbot

certbot 是维护 Let’s Encrypt 的 Package。
添加 package repository

1
sudo add-apt-repository ppa:certbot/certbot

然后更新 apt 源

1
sudo apt-get update

然后安装 Certbot 的 Nginx package

1
sudo apt-get install python-certbot-nginx -y

签发 ssl 证书

现在使用 Let’s Encrypt 签发 ssl 证书:

1
sudo certbot --nginx -d your-domain

注意这里的 your-domain 是你自己的域名,如果你第一次运行certbot的话,会让你输入邮箱,还要接受Let's Encrypt的协议,最后会让你选择是否重定向httphttps

1
2
3
4
5
6
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

选2,重定向即可。
最后可以看到生成的证书的位置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hvnobug.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hvnobug.com/privkey.pem
Your cert will expire on 2019-10-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

查看 nginx 配置文件/etc/nginx/sites-available/default

1
2
3
4
5
6
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/hvnobug.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/hvnobug.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

这是我们发现已经配置了 ssl 证书,监听 443 端口。我们在浏览器访问http会自动重定向到https

自动更新证书

因为 Let’s Encrypt 签发的SSL证书有效期只有 90 天,所有在过期之前,我们需要自动更新SSL证书,而如果你使用最新的certbot的话,Let’s Encrypt 会帮你添加自动更新的脚本到 /etc/cron.d 里,你只需要去检测一下这个命令是否生效就 OK !

1
sudo certbot renew --dry-run