preface
- The experimental environment is Ubuntu 16.04, Nginx /1.14.0
- Prerequisites: SSL has been configured in nginx.conf, but it is about to expire or has already expired.
- Experiment purpose: Use certbot to apply for SSL of LETsencrypt, and can automatically refresh the certificate, so that it will not expire, ensure a configuration, save the operation of manually updating SSL in the future
- Experiment domain name: test.domain.com
1. Install certbot
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
Copy the code2. Configure nginx location
Purpose: Let letsENCRYPT check and confirm that the domain name we are configuring is managed by us.
1. Create a new file to maintain this configuration. Here we use letsencrypt.locations
And notice, you have to use.locations, otherwise, If your suffix is. Conf, after you include the server, nginx-s reload will say “nginx emerg location directive is not allowed here in”.
2. Create a directory to store the files used to communicate with letsEncrypt
mkdir -p /usr/local/etc/nginx/letsencrypt/
This path you can customize, you can put it anywhere according to your needs. But it doesn’t exist at first, so we need to create it manually
Letsencrypt. locations Contents are as follows:
location /.well-known/acme-challenge/ {
alias /usr/local/etc/nginx/letsencrypt/;
}
Copy the codeNginx-related configuration files in /etc/nginx/conf.d, suppose we want to maintain the configuration file test.domain.com.conf.
.├ ── ├─ ├─ ├.domain.txtCopy the codeserver {
listen 80;
listen [::]:80;
server_name test.domain.com;
include /usr/local/etc/ningx/acmechallenge.locations;
}
Copy the code3. Generate a certificate
You need to open two terminals
1. In the first terminal
certbot certonly –email [email protected] -d test.domain.com –agree-tos –manual
Following the prompt Y Y, the following information is output during this process
Create a file containing just this data:
aDAMY6722Jb6C12JSAwMFZt42L814EVNIXnL21_Ap0-44YwmTqVA.-s23FIsrYa23e_M-6o3zwagFHyGjfmwsfOsmb2tr-YePnvHSO1KRM
1
And make it available on your web server at this URL:
http://test.domain.com/.well-known/acme-challenge/aDAMY2xvv627Jb6C1JSAwMFSZt42WGL84E2VNIXnL_Ap0GH-Ywm3qVA
Copy the code2. In the second terminal
cd /usr/local/etc/nginx/letsencrypt/ && touch aDAMY2xvv627Jb6C1JSAwMFSZt42WGL84E2VNIXnL_Ap0GH-Ywm3qVA && echo aDAMY6722Jb6C12JSAwMFZt42L814EVNIXnL21_Ap0-44YwmTqVA.-s23FIsrYa23e_M-6o3zwagFHyGjfmwsfOsmb2tr-YePnvHSO1KRM > aDAMY2xvv627Jb6C1JSAwMFSZt42WGL84E2VNIXnL_Ap0GH-Ywm3qVA
3. Cut back to the terminal
Press Enter to continue, http://test.domain.com/.well-known/acme-challenge/aDAMY2xvv627Jb6C1JSAwMFSZt42WGL84E2VNIXnL_Ap0GH-Ywm3 letsencrypt will check this path Whether the qVA is correct, if no problem, the certificate will be generated.
Certificate of the default path in/etc/letsencrypt/live/test.domain.com. Pem and privkey.pem. At this point, we have an SSL certificate for letsENCRYPT, which is valid for 3 months.
4. Configure SSL on nginx
There are many available online and I won’t go over them here, but the key configuration is
ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/live/test.domain.com/privkey.pem;
Copy the codeAfter changing the configuration,nginx -s reload makes the change take effect.
5. Check whether SSL is correctly configured
There are many free websites to check. I used www.sslshopper.com/ssl-checker…
6. Automatically update your certificate and make sure it doesn’t update because the certificate is valid for 3 months, so checking it once a month is enough.
The crontab command is used to schedule tasks
1 certbot renew --quiet 5 0 11,3,5,7,9,11 1 service nginx reloadCopy the codeAt this point the basic SSL configuration is complete
Reference website:
- www.sslshopper.com/ssl-checker…
- Certbot.eff.org/docs/using….
- Certbot.eff.org/lets-encryp…
- www.tmn.io/posts/lets-…