X

Let's Encrypt 安裝 與 Nginx 設定

Let's Encrypt 之前的文章是寫 Apache 版(Let's Encrypt 的 SSL 憑證安裝),Let's Encrypt 的 Client 加強很多,來另外寫寫 Nginx 的設定方法。

Let's Encrypt 安裝 與 Nginx 設定

下述參考自此篇:How To Secure Nginx with Let's Encrypt on Ubuntu 16.04

Lets's Encrypt 安裝

  1. apt-get -y install git-core
  2. git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  3. sudo vim /etc/nginx/sites-available/default # let's encrypt 驗證會需要開啟 .well-known
    location ~ /.well-known {
        allow all;
    }
  4. sudo nginx -t # test
  5. # 產生憑證
  6. cd /opt/letsencrypt
  7. ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com
  8. # 產生完成可在此找到憑證
  9. ls /etc/letsencrypt/live/example.com/
    • cert.pem: Your domain's certificate
    • chain.pem: The Let's Encrypt chain certificate
    • fullchain.pem: cert.pem and chain.pem combined
    • privkey.pem: Your certificate's private key
  10. # 產生 Strong Diffie-Hellman Group
  11. sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  12. # nginx 加入 ssl 設定
  13. sudo vim /etc/nginx/sites-enabled/example.com.conf
    server {
        listen 443 ssl http2;
        server_name  example.com;
    
        # 憑證
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
        # 下述設定可自行決定要不要設定
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
    
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
    
        access_log  /var/log/nginx/example.access.log;
        error_log   /var/log/nginx/example.error.log;
    
        root    /var/www/html;
        location / {
            index   index.html;
        }
    
        location ~ /.well-known {
            allow all;
        }
    }
  14. # nginx 若想要將 http 強制轉換到 https,用 301 redirect 導到 https 設定方法如下:
  15. sudo vim /etc/nginx/sites-enabled/example.com.conf
    server {
        listen 80;
        server_name example.com www.example.com;
        return 301 https://$server_name$request_uri;
    }
  16. sudo nginx -t # 測試設定檔是否有問題
  17. SSL 更新
    • /opt/letsencrypt/letsencrypt-auto renew
  18. 設定 SSL 自動更新
    1. crontab -e
    2. 30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

更新也可以使用下述 Script (取自:Free SSL/TLS Certificates with Let's Encrypt and NGINX)

#!/bin/sh

cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly

if [ $? -ne 0 ]
  then
       ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
       echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
           $ERRORLOG
  else
      nginx -s reload
fi

exit 0

Save

Tsung: 對新奇的事物都很有興趣, 喜歡簡單的東西, 過簡單的生活.
Related Post