教你在Nginx上使用CertBot把自己網站設置成HTTPS

前言

自己做了一個博客，需要訪問自己的網站獲取數據，但是系統默認只能直接訪問https的網站。不想讓應用改用http的服務。因此，研究如何啓用https，本文即是介紹如何在CentOS上配合Nginx使用CertBot。

環境

• Ubuntu

• Nginx

安裝CertBot

命令行，鍵入：

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

然後，可以使用以下命令安裝certbot：

sudo apt-get install certbot python-certbot-nginx

生成證書

sudo certbot --nginx

剩下的一切會自動完成。Certbot 會自動幫你註冊賬戶，檢測 Nginx 配置文件中的域名，詢問你爲哪些域名生成證書，是否將 Http 重定向到 Https 等等，最後幫你自動修改 Nginx 配置並重啓，這時你的網站已經變成了 Https。

但Certbot沒有給你自動修改Nginx配置時,這時候需要自己配置

如果提示：

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/your.domain.com/fullchain.pem. Your cert
   will expire on 20XX-09-23. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

證書生成成功！

配置Nginx

目前已經自動幫我們配置證書了，我們可以看下配置的形式，後續可以自己配置。

server {
        server_name bbs.wzlinux.com;   # managed by Certbot
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/bbs.wzlinux.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bbs.wzlinux.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = bbs.wzlinux.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen       80 ;
    listen       [::]:80 ;
    server_name bbs.wzlinux.com;
    return 404; # managed by Certbot

}

 

啓用443端口

同樣，修改Nginx的虛擬主機配置文件，新建一個443端口的server配置：

server {
        listen 443 ssl;
        listen [::]:443 ssl ipv6only=on;

        ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;
        
        // ... other settings ...
}

上面記得替換your.domain.com爲你自己的域名。

接着重新加載Nginx配置：

sudo service nginx reload

現在通過瀏覽器訪問你的網站：https://your.domain.com試試，如果看到瀏覽器的綠色標誌，恭喜你設置成功！

不過由於這個證書的時效只有90天，我們需要設置自動更新的功能，幫我們自動更新證書的時效。

自動更新證書

先在命令行模擬證書更新：

sudo certbot renew --dry-run

模擬更新成功的效果如下：

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/your.domain.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/your.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

既然模擬成功，我們就使用crontab -e的命令來啓用自動任務，命令行：

sudo crontab -e

添加配置：

0 4 * * * /usr/bin/certbot renew  >> /var/log/le-renew.log

上面的執行時間爲：每天執行renew任務。

你可以在命令行執行/usr/bin/certbot renew >> /var/log/le-renew.log看看是否執行正常，如果一切OK，那麼我們的配置到此結束！

參考

• Certbot官網

• LetsEncrypt Nginx and Proxy Apps on Ubuntu