Let's Encrypt 之前的文章是寫 Apache 版(Let's Encrypt 的 SSL 憑證安裝),Let's Encrypt 的 Client 加強很多,來另外寫寫 Nginx 的設定方法。
Let's Encrypt 安裝 與 Nginx 設定
下述參考自此篇:How To Secure Nginx with Let's Encrypt on Ubuntu 16.04
Lets's Encrypt 安裝
- apt-get -y install git-core
- git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
- sudo vim /etc/nginx/sites-available/default # let's encrypt 驗證會需要開啟 .well-known
location ~ /.well-known { allow all; }
- sudo nginx -t # test
- # 產生憑證
- cd /opt/letsencrypt
- ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com
- # 產生完成可在此找到憑證
- ls /etc/letsencrypt/live/example.com/
- cert.pem: Your domain's certificate
- chain.pem: The Let's Encrypt chain certificate
- fullchain.pem: cert.pem and chain.pem combined
- privkey.pem: Your certificate's private key
- # 產生 Strong Diffie-Hellman Group
- sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
- # nginx 加入 ssl 設定
- sudo vim /etc/nginx/sites-enabled/example.com.conf
server { listen 443 ssl http2; server_name example.com; # 憑證 ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # 下述設定可自行決定要不要設定 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam /etc/ssl/certs/dhparam.pem; access_log /var/log/nginx/example.access.log; error_log /var/log/nginx/example.error.log; root /var/www/html; location / { index index.html; } location ~ /.well-known { allow all; } }
- # nginx 若想要將 http 強制轉換到 https,用 301 redirect 導到 https 設定方法如下:
- sudo vim /etc/nginx/sites-enabled/example.com.conf
server { listen 80; server_name example.com www.example.com; return 301 https://$server_name$request_uri; }
- sudo nginx -t # 測試設定檔是否有問題
- SSL 更新
- /opt/letsencrypt/letsencrypt-auto renew
- 設定 SSL 自動更新
- crontab -e
- 30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
更新也可以使用下述 Script (取自:Free SSL/TLS Certificates with Let's Encrypt and NGINX)
#!/bin/sh
cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
$ERRORLOG
else
nginx -s reload
fi
exit 0
請教一下 什麼是
Strong Diffie-Hellman Group
Diffie-Hellman 預設質數長度不夠,所以使用 openssl 產生 2048 bits 的 Strong Diffie-Hellman Group (https://zh.wikipedia.org/zh-tw/%E8%BF%AA%E8%8F%B2-%E8%B5%AB%E7%88%BE%E6%9B%BC%E5%AF%86%E9%91%B0%E4%BA%A4%E6%8F%9B)