debian 9 Nginx 实现 HTTPS 2019-10-10 倒腾笔记 暂无评论 89 次阅读 获取Let's Encrypt 的免费证书 开始的前提条件: 1、服务器已经安装nginx; 2、有自己的域名,并在DNS添加了记录值为服务器IP的A记录; 3、防火墙开启443端口可访问 安装Certbot软件( Let’s Encrypt 客户端) wget https://dl.eff.org/certbot-auto # 下载到本地 chmod a+x ./certbot-auto # 添加可执行权限 ./certbot-auto --help all # 查看帮助 配置 Nginx在 /etc/nginx/conf.d/ 目录下为域名创建新文件 www.example.com.conf,并添加如下配置: server { root /home/kikakika/trunk; # kikakika替换成你的域名 server_name kikakika.com; # kikakika.com替换成的域名 index index.html index.htm index.php; location ~ \.php(.*)$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; include fastcgi_params; } } systemctl restart nginx # 重启nginx 生成ssl证书 certbot-auto --nginx -d kikakika.com -d www.kikakika.com # 替换你的域名 Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Obtaining a new certificate Performing the following challenges: http-01 challenge for scall2.szhuizhong.cn Waiting for verification... Cleaning up challenges Deployed Certificate to VirtualHost /etc/nginx/nginx.conf for scall2.szhuizhong.cn Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. No redirect - Make no further changes to the webserver configuration. Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. 证书生成成功后,会让你选择是否将所有的 HTTP 请求重定向到 HTTPS(输入 1 或者 2)。如果选 1,则通过 HTTP 和 HTTPS 都可以访问。如果选 2,则所有通过 HTTP 来的请求,都会被 301 重定向到 HTTPS。参考下面的 5. 配置 Nginx。输完 1 或者 2 回车后,会有成功提示,并说明证书放在 /etc/letsencrypt/live/证书的域名 这个位置: 如果出现如下错误: Obtaining a new certificate Performing the following challenges: http-01 challenge for zhuxiaofang.com Using default address 80 for authentication. nginx: [error] invalid PID number "" in "/var/run/nginx.pid" Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org Could not automatically find a matching server block for hahahaha.com. Set the `server_name` directive to use the Nginx installer. IMPORTANT NOTES: - Unable to install the certificate - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/hahahaha.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hahahaha.com/privkey.pem Your cert will expire on 2019-07-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. 这里出现了一个错误,大致意思是:证书已成功申请保存了,但是找不到我的域名对应的服务器模块,需要我去nginx中配置server_name。 vi default.conf # 编辑nginx的配置文件/etc/nginx/conf.d/default.conf server { listen 80; server_name localhost; server_name hahaha.com; # 添加这一配置,替换你的域名 #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 "default.conf" 46L, 1127C written 重新运行生成证书命令 下面是 certbot-auto 自动改写过的配置文件,所有改写过的行都在后面加了注释:# managed by Certbot。 # 生成证书时选 1: No redirect,不把 HTTP 请求重定向到 HTTPS,一个 server 同时监听 80 和 443 端口 server { listen 80; server_name scall2.szhuizhong.cn; root /home/szhuizhong/trunk; location / { if (-f $request_filename) { expires max; break; } if (!-e $request_filename) { rewrite ^/(.*)$ /index.php/$1 last; } index index.html index.htm index.php l.php; autoindex off; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } location ~ \.php(.*)$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_param CI_ENV 'testing'; include fastcgi_params; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/scall2.szhuizhong.cn/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/scall2.szhuizhong.cn/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } # 生成证书时选 2: redirect,HTTP 请求重定向到 HTTPS,两个 server 分别监听 80 和 443 端口 server { root /home/kikakika/trunk; server_name kikakika.com; index index.html index.htm index.php; location ~ \.php(.*)$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; include fastcgi_params; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/kikakika.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/kikakika.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { server_name kikakika.com www.kikakika.com; listen 80; return 301 https://$host$request_uri; # managed by Certbot } 设置定时任务出于安全策略, Let’s Encrypt 签发的证书有效期只有 90 天。通过 ./certbot-auto renew 命令可以续签。 crontab -e # 编辑 crontab 文件 0 3 * * * /root/letsencrypt/certbot-auto renew --quiet # 添加 certbot 命令:在每天凌晨3点运行。该命令将检查服务器上的证书是否将在未来30天内过期,如果是,则进行更新。--quiet 指令告诉 certbot 不要生成输出。 0 0 1 * * /home/soft/ssl/letsencrypt/certbot-auto renew>>/home/soft/ssl/letsencrypt/log.txt # 写入日志 打开浏览器输入你的域名试试,不安全提示没有了,就是成功了。 标签: nginx, https, SSL 本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。