5

在 Nginx 中使用 letsencrypt 证书实现 HTTPS

 3 years ago
source link: https://zhiqiang.org/it/letsencrypt-and-nginx-set-https.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

在 Nginx 中使用 letsencrypt 证书实现 HTTPS

作者: 张志强

, 发表于 2020-01-22

, 共 3144 字 , 共阅读 296 次

最近在配置 matrix synapse 时,才注意到现在配置一个 https 网站已经非常简单,而且 nginx 也非常好用。

1. 生成 SSL Letsencript 证书

letsencrypt提供免费的 SSL 证书,并且操作非常简单,命令行下几条命令即可完成。

1.1. 安装letsencrpt

首先安装命令行工具:

sudo apt install letsencrypt -y

1.2. 生成证书

再使用下面命令即可为zhiqiang.org生成免费的 SSL 证书:

sudo certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email zhang@zhiqiang -d zhiqiang.org

这条命令会显示以下信息:

Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zhiqiang.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zhiqiang.org/privkey.pem
   Your cert will expire on 2020-04-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

生成的证书文件位于文件夹/etc/letsencrypt/live/zhiqiang.org/fullchain.pem下。

1.3. 常见错误

需要注意的是上面命令有可能出现下面的提示:

Problem binding to port 80: Could not bind to IPv4 or IPv6.

字面意思是所需要的 80 端口被占用。但我检查sudo netstat -ap | grep 80并没有发现 80 端口被占用。使用sudo systemctl stop nginx停止nginx后,问题解决,虽然原因仍不明确。

1.4. 设置自动更新证书

letsencript提供的证书有效期只有 90 天,因此需要定期更新证书。可以在服务器添加一个crontab定时任务来处理。由于certbot需要sudo权限,我们需先用sudo -i切换到root用户,然后输入crontab -e,添加下面的定时任务:

10 1 * */2 * certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

添加完毕后exit可以退出root用户。

2. 使用 Nginx 配置 HTTPS 站点

有了上面的证书,就可以配置 HTTPS 站点了。nginx 的配置也比以前的 apache 简单多了。

2.1. 安装nginx

sudo apt install nginx

安装后的nginx位于/etc/nginx

2.2. 添加站点

直接添加/etc/nginx/sites-enabled/zhiqiang.org文件:

# 将80端口的http服务转发到443端口https服务。
server {
       listen 80;
       server_name zhiqiang.org;
       return 301 https://$server_name$request_uri;
}

# 配置443端口的https服务
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name zhiqiang.org;

    ssl_certificate /etc/letsencrypt/live/zhiqiang.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zhiqiang.org/privkey.pem;

    root /home/zhangzq/blog/ftp;
    index index.html index.htm;

    location /_matrix {
      proxy_pass http://127.0.0.1:8008;
      proxy_set_header X-Forwarded-For $remote_addr;
    }
}

# 可以配置很多个https服务,使用不同的端口,比如 https://zhiqiang.org:444。
server {
    listen 444 ssl;
    listen [::]:444 ssl;
    server_name zhiqiang.org;

    ssl_certificate /etc/letsencrypt/live/zhiqiang.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zhiqiang.org/privkey.pem;

    location / {
      proxy_pass http://127.0.0.1:8080;
      proxy_set_header X-Forwarded-For $remote_addr;
    }
}

添加完毕之后执行测试命令:sudo nginx -t,若显示下面结果表示一切正常,如有警告或错误,需根据提示修改,最常见的错误是少写分号:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

2.3. 启动nginx

下面命令可启动nginx

sudo systemctl start nginx

下面命令可让系统在开机时自动启动:

sudo systemctl enable nginx

其它相关的还有重启:sudo systemctl restart nginx,以及停止:sudo systemctl stop nginx

Q. E. D.

avatar-0.jpg

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK