使用 Let's Encrypt 证书

by Pany

开始使用Let's Encrypt项目

Let's Encrypt项目官网: https://letsencrypt.org/getting-started/

推荐使用certbot自动签发证书工具。

访问https://certbot.eff.org/,选择对应的WebSever 程序以及操作系统,即可获得 certbot 相关使用指导。

按照指导安装相应的依赖,然后下载certbot自动签发证书工具。

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

签发证书

假设你的服务器是CentOS+NginXcertbot-auto的文件路径是/path/to/certbot-auto,域名是www.example.com,对应的网站根目录路径是/usr/share/nginx/html/,请使用以下命令为服务器签发证书:

/path/to/certbot-auto certonly --webroot -w /usr/share/nginx/html/ -d example.com -d www.example.com

certbot-auto工具会在/usr/share/nginx/html/的目录下自动创建一个.well-known的文件,然后通过访问http://www.example.com/.well-known来验证你所签署的域名是否正确解析到了当前主机上。

成功签发的证书会自动存至/etc/letsencrypt/live/www.example.com/目录下。

自动续签

Let's Encrypt证书有效期为 90 天,请及时续签。续签命令如下:

/path/to/certbot-auto renew --quiet

crond为例,可以在/etc/crontab中添加两行配置,使之自动续签:

0 0 * * * root /path/to/certbot-auto renew --quiet
0 12 * * * root /path/to/certbot-auto renew --quiet

这行命令会在每天 0 点和 12点自动尝试帮你续签。根据Let's Encrypt官方说明,在证书到期之前,进行以上操作不会有任何影响,并且还可以及时避免「由于某些故障导致的证书被错误吊销」。

NginX配置

假设NginX配置文件位于/etc/nginx/conf.d/目录下,可以新建一个www.example.com.conf的文件,内容如下:

server {
	listen 80;
	listen [::]:80;
	server_name www.example.com;

	location ~ ^/.well-known {
		root /usr/share/nginx/html/ ;
	}

	location / {
		return 301 https://$server_name$request_uri;
	}
# 301 重定向,强制全站跳转到 HTTPS,非必须

}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	ssl on;

	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	#ssl_dhparam /path/to/dhparam.pem;

	# modern configuration. tweak to your needs.

	ssl_prefer_server_ciphers On;
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	server_name www.example.com;

	root /usr/share/nginx/ghost/;
	index index.html index.htm;
	client_max_body_size 10G;

	access_log /var/log/nginx/ghost.log;

	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header HOST $http_host;
		proxy_set_header X-NginX-Proxy trie;

		proxy_pass http://127.0.0.1:2368;
		proxy_redirect off;
	}

	location ~ ^/(sitemap.xml|robots.txt) {
		root /usr/share/nginx/ghost/core/shared/;
	}

	location ~ ^/.well-known {
		root /usr/share/nginx/html/;
	}
}

部署完成后在这个链接检查:

https://observatory.mozilla.org/

参考链接

https://robertnealan.com/setting-up-ssl-for-ghost-on-digitalocean-with-lets-encrypt/