Ubuntu免费ssl证书(Let's Encrypt)配置

假定你已经用nginx搭建好网站

安装Certbot

Certbot是维护Let's Encrypt的Package。

添加package repository


sudo add-apt-repository ppa:certbot/certbot

直接回车,添加完毕后,更新apt源数据:


sudo apt-get update

然后安装Certbot的Nginx package:


sudo apt-get install python-certbot-nginx

签发ssl证书

现在使用Let's Encrypt签发ssl证书:


sudo certbot --nginx -d your-domian.com -d www.your-domain.com

注意这里的 your-domain.com 换成你自己的域名,如果你第一次运行certbot的话,会让你输入邮箱,还要接受Let's Encrypt的协议,最后会让你选择是否重定向http到https:



Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

选2,重定向即可。

最后可以看到生成的证书的位置:



IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/oyty.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/oyty.me/privkey.pem
   Your cert will expire on 2018-09-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

这个时候,ssl证书已经自动签发完毕了,你可以访问网站,发现已经是https的了。

查看我之前的nginx配置文件/etc/nginx/sites-available/oyty



server {

       server_name oyty.me www.oyty.me;

       root /var/www/oyty/oyty.github.io;
       index index.html;

       location / {
               try_files $uri $uri/ =404;
       }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/oyty.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/oyty.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = www.oyty.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = oyty.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


       listen 80;
       listen [::]:80;

       server_name oyty.me www.oyty.me;
    return 404; # managed by Certbot

}

ssl证书文件自动集成了,如果没有你也可以根据生成的证书地址自己配置。

自动更新证书

因为 Let's Encrypt 签发的 SSL 证书有效期只有 90 天,所有在过期之前,我们需要自动更新 SSL 证书,而如果你使用最新的 certbot 的话,Let's Encrypt 会帮你添加自动更新的脚本到 /etc/cron.d 里,你只需要去检测一下这个命令是否生效就OK!

sudo certbot renew --dry-run

你可能感兴趣的:(Ubuntu免费ssl证书(Let's Encrypt)配置)