使用Let's Encrypt配置SSL證書

1. 安裝 Certbot

Let's Encrypt 證書生成不需要手動進(jìn)行,官方推薦 certbot 這套自動化工具來實現(xiàn)。

  • Nginx on CentOS/RHEL 7

    Certbot is packaged in EPEL (Extra Packages for Enterprise Linux). To use Certbot, you must first enable the EPEL repository. On RHEL or Oracle Linux, you must also enable the optional channel.

    Note:

    If you are using RHEL on EC2, you can enable the optional channel by running:

    $ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

    After doing this, you can install Certbot by running:

    $ sudo yum install certbot-nginx

  • Nginx on Ubuntu 16.04 (xenial)

    On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you'll need to do is apt-get the following packages.

    $ sudo apt-get update

$ sudo apt-get install software-properties-common

$ sudo add-apt-repository ppa:certbot/certbot

$ sudo apt-get update

$ sudo apt-get install python-certbot-nginx

    Certbot's DNS plugins which can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server are not available for your OS yet. This should change soon but if you don't want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.

2. 生成SSL證書

  • 編輯配置文件:

    $ sudo vim /etc/letsencrypt/configs/hostname

    # 寫你的域名和郵箱
domains = hostname
rsa-key-size = 2048
email = your-email
text = True

# 把下面的路徑修改為 hostname 的目錄位置
authenticator = webroot
webroot-path = /mnt/var/www/<your-name>/<hostname>

    只需將 hostname 修改為你的域名即可,certbot 會自動在 /mnt/var/www/<your-name>/<hostname> 下面創(chuàng)建一個隱藏文件 .well-known/acme-challenge ,通過請求這個文件來驗證 hostname 確實屬于你。外網(wǎng)服務(wù)器訪問 http://hostname/.well-known/acme-challenge ,如果訪問成功則驗證OK。

  • 配置Nginx 進(jìn)行 webroot 驗證

    eg: 在/etc/nginx/sites-available 目錄下 編輯 temp 文件

    server {
   listen 80;
   server_name hostname;
 
   location ~ /.well-known {
       root /mnt/var/www/<your-name>/<hostname>;
       default_type "text/plain";
   }
}

    設(shè)置軟連接:

    $ cd /etc/nginx/sites-enabled     # 必須!!!
$ sudo ln -s ../sites-available/temp temp
$ sudo openresty -s reload

  • 生成SSL證書

    $ sudo certbot -c /etc/letsencrypt/configs/hostname certonly

## 片刻之后,看到下面內(nèi)容就是成功了
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/hostname/fullchain.pem.

    之后刪除 之前的 temp 軟連接

3. 部署 https 反向代理

  • nginx 配置文件

    /etc/nginx/sites-available 目錄下 編輯 hostname 文件

    模板如下:

      upstream monitor_server {
      server <server-host>:<port>; 
      keepalive 2000;
  }

  server {
      listen 80;
      server_name hostname;

      # redirect all http to https
      return 301 https://$host$request_uri;
  }

  server {
      listen 443 ssl;
      server_name hostname;

      ssl_certificate /etc/letsencrypt/live/hostname/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/hostname/privkey.pem;
      # disable SSLv2
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

      # ciphers' order matters
      ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL";

      # the Elliptic curve key used for the ECDHE cipher.
      ssl_ecdh_curve secp384r1;

      # use command line
      # openssl dhparam -out dhparam.pem 2048
      # to generate Diffie Hellman Ephemeral Parameters
      ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        # let the server choose the cipher
      ssl_prefer_server_ciphers on;

      # turn on the OCSP Stapling and verify
      ssl_stapling on;
      ssl_stapling_verify on;

      # http compression method is not secure in https
      # opens you up to vulnerabilities like BREACH, CRIME
      gzip off;

      location ^~ /.well-known/acme-challenge/ {
          default_type "text/plain";
          root /mnt/var/www/<your-name>/hostname;
      }
      location / {
        ...
      }

      access_log /mnt/log/nginx/hostname/access.log;
      error_log /mnt/log/nginx/hostname/error.log;
  }

    注:

    ? 如需支持HTTP2,可將http server第一行修改為 listen 443 ssl http2; 作用是啟用 Nginx 的 ngx_http_v2_module 模塊支持 HTTP2,Nginx 版本需要高于 1.9.5,且編譯時需要設(shè)置 --with-http_v2_module。

    ssl_certificate 和 ssl_certificate_key ,分別對應(yīng) fullchain.pem 和 privkey.pem,這2個文件是之前就生成好的證書和密鑰。

    ssl_dhparam 通過下面命令生成:

    $ sudo openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048

    之后

    $ cd /etc/nginx/sites-enabled     # 必須!!!
$ sudo ln -s ../sites-available/hostname hostname 
$ sudo openresty -s reload
4. 設(shè)置SSL證書自動更新
$ sudo vim /etc/systemd/system/letsencrypt.service

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
ExecStartPost=/bin/systemctl reload nginx.service

然后增加一個 systemd timer 來觸發(fā)這個服務(wù):

$ sudo vim /etc/systemd/system/letsencrypt.timer

[Unit]
Description=Monthly renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target

啟用服務(wù),開啟 timer:

$ sudo systemctl enable letsencrypt.timer
$ sudo systemctl start letsencrypt.timer

上面兩條命令執(zhí)行完畢后,你可以通過 systemctl list-timers 列出所有 systemd 定時服務(wù)。當(dāng)中可以找到 letsencrypt.timer 并看到運行時間是明天的凌晨12點。

5. 在線工具測試SSL 安全性

Qualys SSL Labs 提供了全面的 SSL 安全性測試,填寫你的網(wǎng)站域名,給自己的 HTTPS 配置打個分。

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容