debian 9 Nginx 实现 HTTPS

获取Let’s Encrypt 的免费证书

开始的前提条件:

1、服务器已经安装nginx;

2、有自己的域名,并在DNS添加了记录值为服务器IP的A记录;

3、防火墙开启443端口可访问

安装Certbot软件( Let’s Encrypt 客户端)

1
2
3
wget https://dl.eff.org/certbot-auto # 下载到本地
chmod a+x ./certbot-auto # 添加可执行权限
./certbot-auto --help all # 查看帮助

配置 Nginx在 /etc/nginx/conf.d/ 目录下为域名创建新文件 www.example.com.conf,并添加如下配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
server {
root /home/kikakika/trunk; # kikakika替换成你的域名
server\_name kikakika.com; # kikakika.com替换成的域名
index index.html index.htm index.php;

location ~ \.php(.\*)$ {
fastcgi\_pass 127.0.0.1:9000;
fastcgi\_index index.php;
fastcgi\_split\_path\_info ^((?U).+\.php)(/?.+)$;
fastcgi\_param SCRIPT\_FILENAME $document\_root$fastcgi\_script\_name;
fastcgi\_param PATH\_INFO $fastcgi\_path\_info;
fastcgi\_param PATH\_TRANSLATED $document\_root$fastcgi\_path\_info;
include fastcgi\_params;
}
}

systemctl restart nginx # 重启nginx

生成ssl证书

1
certbot-auto --nginx -d kikakika.com -d www.kikakika.com # 替换你的域名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for scall2.szhuizhong.cn
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/nginx.conf for scall2.szhuizhong.cn

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
No redirect - Make no further changes to the webserver configuration.
Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

证书生成成功后,会让你选择是否将所有的 HTTP 请求重定向到 HTTPS(输入 1 或者 2)。如果选 1,则通过 HTTP 和 HTTPS 都可以访问。如果选 2,则所有通过 HTTP 来的请求,都会被 301 重定向到 HTTPS。参考下面的 5. 配置 Nginx。输完 1 或者 2 回车后,会有成功提示,并说明证书放在 /etc/letsencrypt/live/证书的域名 这个位置:

如果出现如下错误:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zhuxiaofang.com
Using default address 80 for authentication.
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Could not automatically find a matching server block for hahahaha.com. Set the `server\_name` directive to use the Nginx installer.

IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hahahaha.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hahahaha.com/privkey.pem
Your cert will expire on 2019-07-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew \*all\* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

这里出现了一个错误,大致意思是:证书已成功申请保存了,但是找不到我的域名对应的服务器模块,需要我去nginx中配置server_name。

vi default.conf # 编辑nginx的配置文件/etc/nginx/conf.d/default.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
server {
listen 80;
server\_name localhost;
server\_name hahaha.com; # 添加这一配置,替换你的域名

#charset koi8-r;
#access\_log /var/log/nginx/host.access.log main;

location / {
root /usr/share/nginx/html;
index index.html index.htm;
}

#error\_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
error\_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
"default.conf" 46L, 1127C written

重新运行生成证书命令

下面是 certbot-auto 自动改写过的配置文件,所有改写过的行都在后面加了注释:# managed by Certbot。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# 生成证书时选 1: No redirect,不把 HTTP 请求重定向到 HTTPS,一个 server 同时监听 80 和 443 端口
server {
listen 80;
server\_name scall2.szhuizhong.cn;
root /home/szhuizhong/trunk;

location / {
if (-f $request\_filename) {
expires max;
break;
}
if (!-e $request\_filename) {
rewrite ^/(.\*)$ /index.php/$1 last;
}
index index.html index.htm index.php l.php;
autoindex off;
}

error\_page 404 /404.html;
location = /40x.html {
}
error\_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location ~ \.php(.\*)$ {
fastcgi\_pass 127.0.0.1:9000;
fastcgi\_index index.php;
fastcgi\_split\_path\_info ^((?U).+\.php)(/?.+)$;
fastcgi\_param SCRIPT\_FILENAME $document\_root$fastcgi\_script\_name;
fastcgi\_param PATH\_INFO $fastcgi\_path\_info;
fastcgi\_param PATH\_TRANSLATED $document\_root$fastcgi\_path\_info;
fastcgi\_param CI\_ENV 'testing';
include fastcgi\_params;
}

listen 443 ssl; # managed by Certbot
ssl\_certificate /etc/letsencrypt/live/scall2.szhuizhong.cn/fullchain.pem; # managed by Certbot
ssl\_certificate\_key /etc/letsencrypt/live/scall2.szhuizhong.cn/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl\_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# 生成证书时选 2: redirect,HTTP 请求重定向到 HTTPS,两个 server 分别监听 80 和 443 端口
server {
root /home/kikakika/trunk;
server\_name kikakika.com;
index index.html index.htm index.php;

location ~ \.php(.\*)$ {
fastcgi\_pass 127.0.0.1:9000;
fastcgi\_index index.php;
fastcgi\_split\_path\_info ^((?U).+\.php)(/?.+)$;
fastcgi\_param SCRIPT\_FILENAME $document\_root$fastcgi\_script\_name;
fastcgi\_param PATH\_INFO $fastcgi\_path\_info;
fastcgi\_param PATH\_TRANSLATED $document\_root$fastcgi\_path\_info;
include fastcgi\_params;
}

listen 443 ssl; # managed by Certbot
ssl\_certificate /etc/letsencrypt/live/kikakika.com/fullchain.pem; # managed by Certbot
ssl\_certificate\_key /etc/letsencrypt/live/kikakika.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl\_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server\_name kikakika.com www.kikakika.com;
listen 80;
return 301 https://$host$request\_uri; # managed by Certbot
}

设置定时任务出于安全策略, Let’s Encrypt 签发的证书有效期只有 90 天。通过 ./certbot-auto renew 命令可以续签。

1
crontab -e # 编辑 crontab 文件
1
2
0 3 \* \* \* /root/letsencrypt/certbot-auto renew --quiet # 添加 certbot 命令:在每天凌晨3点运行。该命令将检查服务器上的证书是否将在未来30天内过期,如果是,则进行更新。--quiet 指令告诉 certbot 不要生成输出。
0 0 1 \* \* /home/soft/ssl/letsencrypt/certbot-auto renew>>/home/soft/ssl/letsencrypt/log.txt # 写入日志

打开浏览器输入你的域名试试,不安全提示没有了,就是成功了。