如何在Ubuntu 20.04的Nginx上配置Let's Encrypt SSL证书

Z时代
2024-01-10
分类：综合

linux

Web进行安全通信依赖于HTTPS，这需要使用数字证书，以便浏览器验证Web服务器的身份（比如说，google.com是真的吗？） Web服务器从证书颁发机构（CA可信第三方）获取其证书以验证域名真实性，从而构建一个可信，安全的连接。

Certbot是一个易于使用的客户端，它由EFF，Mozilla和开源组织发起。可以从Let's Encrypt（一个开放的证书颁发机构）获取证书，并将其部署到Web服务器。

在本教程中我们将说明如何在ubuntu上使用Certbot工具为自己的HTTP服务器，站点配置HTTPS的SSL证书。包括使用SSH登录到你的服务器，通过snap安装CertBot，配置Let's Encrypt SSL证书，使用Certbot自动更新SSL证书，验证服务器是否正确部署HTTPS的SSL证书。

先决条件

确认登录到服务器的用户有sudo的权限。需要有线上服务器，可以是vps等独立主机。一个可指向你服务器的域名，比如在这个示例将使用www.myfreax.com。可通过域名的方式访问你的HTTP服务器。如果你还没有安装HTTP服务器，可以参考此教程安装Nginx服务器在ubuntu上。

使用SSH登录到你的服务器

登录到服务器后整个过程都是root的操作，建议谨慎使用rm命令，在终端键入以下命令登录到服务器：

sudo ssh [email protected]

上面命令中会要求你输入myfreax用户的密码，才能登录到web服务器，输出如下所示

[email protected]'s password:

如果你已设置密钥登录则不需要输入密码即可登录。如果你或者服务器提供商已更改SSH的默认端口22为其它端口请使用-p选项指定端口，例如改成23333端口，则在终端键入以下命令：

ssh -p '23333' [email protected]

安装CertBot

在Ubuntu官方的默认镜像中并不包含Certbot的软件包，我们将通过snap包管理器安装Certbot中，首先在终端中键入以下命令更新snap的core：

sudo snap install core

sudo snap refresh core

现在，执行以下命令安装certbot，并通过ln命令创建certbot的符号链接，让certbot加入PATH环境变量中：

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

配置SSL证书

配置SSL证书非常简单，运行以下命令获取证书并让Certbot自动编辑您的Nginx配置，只需一步就可以启用HTTPS SSL的证书：

sudo certbot --nginx -d www.myfreax.com

如果你使用的Apache作为HTTP的服务，请使用以下命令，Certbot也将会自动编辑你的Apache配置，以启用HTTPS SSL证书：

sudo certbot  --apache -d www.myfreax.com

如果是首次运行CertBot获取SSL证书，它将会询问你的电子邮件，输入一个你常用的邮件地址，它会在到期之前通知你，同意CertBot协议，是否将HTTP重定向到HTTPS，CertBot获取证书输出内容如下所示：

sudo certbot  --nginx -d www.myfreax.com

sudo certbot --nginx -d www.myfreax.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): 输入你的电子邮件 Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a 同意协议 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y 询问是否需要接收提醒邮件 Starting new HTTPS connection (1): supporters.eff.org Obtaining a new certificate Performing the following challenges: http-01 challenge for www.myfreax.com Using default addresses 80 and [::]:80 ipv6only=on for authentication. Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org Deploying Certificate to VirtualHost /etc/nginx/conf.d/default.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 询问是否要重定向http的连接，选择2重定向 No matching insecure server blocks listening on port 80 found. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://www.myfreax.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=www.myfreax.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.myfreax.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.myfreax.com/privkey.pem Your cert will expire on 2019-10-31. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le