LNMP安装Let’s Encrypt 免费SSL证书方法:自动安装与手动配置Nginx

前几天介绍了最新StartSSL免费SSL申请与配置,很多人看到部落介绍SSL证书安装时总是推荐了OneinStack,因为OneinStack提供了一键添加和配置Let's Encrypt 免费SSL证书的脚本,你在创建虚拟主机绑定域名就可以一步安装好SSL。

其实LNMP(即LNMP.org版LNMP脚本)更新到了1.4版本后已经增加了增加ssl选项,可以选择Let's Encrypt 或自定义证书和key文件,操作已经和OneinStack一样方便了。本文就来分享一下LNMP 1.4安装Let's Encrypt 免费SSL证书方法。

LNMP 1.4支持自动申请和安装Let's Encrypt 免费SSL证书,当然如果你自己有SSL证书,那么LNMP 1.4在创建虚拟机时直接输入Key和PEM地址,LNMP 1.4会自动帮你配置好SSL了,不懂Nginx配置的朋友有福了。而对于LNMP 1.3的朋友,也不用担心。

LNMP 1.3默认编译都已经加了SSL部分,加上Nginx配置SSL都不是很复杂,大家只需要添加几段SSL代码就可以了。更多的免费SSL证书,大家可以看看:

LNMP安装Let's Encrypt 免费SSL证书方法:自动安装与手动配置Nginx

一、LNMP自动安装Let's Encrypt 方法

1、官方网站:

  • 1、LNMP:https://lnmp.org/
  • 2、Let's Encrypt:https://letsencrypt.org/

2、LNMP 1.3安装可以参考:扔掉VPS面板!网站平滑迁移到LNMP或LAMP建站环境的方法,这里是LNMP 1.4测试版安装代码:

1
2
wget -c http://soft.vpser.net/lnmp/lnmp1.4beta.tar.gz && tar zxf lnmp1.4beta.tar.gz && cd lnmp1.4 && ./install.sh {lnmp|lnmpa|lamp}
#请注意最后的参数,需要哪个模式就写哪个,./install.sh 不带任何参数默认为LNMP模式。

3、LNMP 1.4增加PHP7.1支持,增加LNMP模式下多PHP版本选择,安装LNMP时会让你选择安装哪一个版本的PHP、哪一个版本的MysqL等。(点击放大)

LNMP安装1.4

4、执行:lnmp vhost add 添加虚拟机,添加网站的域名,设置网站的目录,伪静态,日志的名称,数据库等,注意在询问是否添加SSL证书时,选择安装Let's Encrypt 。(点击放大)

LNMP自动安装SSL选项

5、选择了自动安装Let's Encrypt 免费SSL证书时,会安装一系列的组件,部分过程可能等待的时间比较长,请耐心等待一下。这是LNMP自动安装Let's Encrypt 成功的提示。(点击放大)

LNMP安装SSL成功

二、LNMP自动安装Let's Encrypt 注意地方

1、使用LNMP自动安装Let's Encrypt ,因为涉及到要验证域名,所以请提前将你的域名解析到你的VPS主机上,这样才可以成功使用LNMP自动安装Let's Encrypt 。

2、Nginx SSL配置。LNMP自动安装Let's Encrypt 生成Nginx SSL配置文件的路径是:/usr/local/nginx/conf/vhost。

LNMP的Nginx配置文件

3、打开xxxdomain.conf,就能够看到SSL配置代码了,以后大家自己想要配置SSL的话也可以进入到这里修改了。

LNMP查看SSL代码

4、Let's Encrypt 生成的Key与PEM证书路径是:/etc/letsencrypt/live/xxxdomain,主要是两个文件:fullchain.pem和Privkey.pem。以后更新Let's Encrypt 都会在这里。

LNMP的证书路径

5、LNMP自动安装Let's Encrypt 后,原来的http依然可以访问,如果你想做301强制http跳转到https,可以使用以下代码放在xxxdomain.conf中。

1
2
3
4
5
6
7
8
server
{
        listen 80;
        server_name ucblog.net www.ucblog.net;
        rewrite ^(.*) https://www.ucblog.net$1 permanent;
}
#或者
return 301 https://www.ucblog.net$request_uri;

6、效果如下图:

LNMP实现http跳转到https

三、LNMP手动配置SSL证书方法

1、如果你想在LNMP上安装自己的SSL证书,则在创建虚拟机可以选择“Use Your own ssl Certificate and key”。然后输入你的SSL证书路径与Key完整路径。

LNMP输入证书路径

2、所以,此处最关键的就是将你SSL证书和Key上传到服务器上了。以腾讯云DV SSL证书为例,申请成功下载得到了就是crt和key两个文件,这两个文件就能上传到服务器上安装SSL了。

LNMP安装其它的SSL证书

四、Let's Encrypt 手动申请及安装在LNMP 1.4上

1、如果你想手动安装Let's Encrypt 也不是很复杂,先将你的域名解析到你的VPS主机上,然后到https://certbot.eff.org/选择适合你的VPS操作系统的安装代码:

1
2
3
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto certonly

LNMP选择安装代码

2、接下来要你选择授权目录,这时我们一般都会选择网站根目录。

LNMP选择网站目录

3、然后输入你想要申请Let's Encrypt 免费SSL证书的域名,这个域名必须是已经解析到了VPS上的。

LNMP绑定域名

4、然后会要你输入网站根目录。

LNMP要求输入目录

5、找到我们已经用LNMP创建好的虚拟机网站根目录。

LNMP找到本地创建的网站

6、耐心等待,Let's Encrypt 申请成功了。

LNMP申请Let's Encrypt 成功了

7、我们可以进入到/etc/letsencrypt/live/看到自己刚刚申请到的CRT和Key。

Let's Encrypt 已经生成的文件

8、找到我们用LNMP创建虚拟机生成的Nginx配置文件。

Let's Encrypt 创建的配置文件

9、如果你在用LNMP创建网站时选择是添加SSL,这时你的Nginx配置中已经有SSL代码了,这时你只需要替换好SSL路径即可。要求是完整路径,示例如下:

1
2
/etc/letsencrypt/live/web.ucblog.net/fullchain.pem
/etc/letsencrypt/live/web.ucblog.net/privkey.pem

Let's Encrypt 替换路径

10、重启LNMP,打开域名,查看SSL证书已经安装成功了。

Let's Encrypt 安装成功

五、LNMP 1.3安装配置Let's Encrypt SSL

1、先按照上面的方法,手动申请好Let's Encrypt SSL证书,打开你的域名Nginx配置文件,将SSL代码复制粘贴到下方即可。

Let's Encrypt 粘贴代码

2、Nginx SSL配置代码该如何修改?这里给出一份没有添加SSL的Nginx 配置文件代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
server
    {
        listen 80;
        #listen [::]:80;
        server_name we.ucblog.net ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/we.ucblog.net;
 
        include wordpress.conf;
        #error_page   404   /404.html;
 
        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
 
        include enable-php.conf;
 
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }
 
        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }
 
        location ~ /.well-known {
            allow all;
        }
 
        location ~ /\.
        {
            deny all;
        }
 
        access_log  /home/wwwlogs/we.ucblog.net.log;
    }

3、这里是已经添加了Nginx SSL配置代码示例,通过对比你只需要将含有SSL代码的Nginx代码复制到里面即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
server
    {
        listen 80;
        #listen [::]:80;
        server_name web.ucblog.net ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/web.ucblog.net;
 
        include wordpress.conf;
        #error_page   404   /404.html;
 
        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
 
        include enable-php.conf;
 
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }
 
        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }
 
        location ~ /.well-known {
            allow all;
        }
 
        location ~ /\.
        {
            deny all;
        }
 
        access_log  /home/wwwlogs/web.ucblog.net.log;
    }
 
server
    {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name web.ucblog.net ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/web.ucblog.net;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/web.ucblog.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/web.ucblog.net/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/ssl/dhparam.pem;
 
        include wordpress.conf;
        #error_page   404   /404.html;
 
        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
 
        include enable-php.conf;
 
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }
 
        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }
 
        location ~ /.well-known {
            allow all;
        }
 
        location ~ /\.
        {
            deny all;
        }
 
        access_log  /home/wwwlogs/web.ucblog.net.log;
    }

4、大家在复制代码时记得将示例中的web.ucblog.net演示网址替换成自己的。

六、LNMP安装Let's Encrypt小结

1、Let's Encrypt有效期只有三个月,所以最好是设置一个定时任务:crontab –e,然后将以下代码复制到里面,表示每隔7天就自动更新一下Let's Encrypt:

1
0 3 */7 * * /bin/certbot renew --renew-hook "/etc/init.d/nginx reload"

Let's Encrypt 自动更新

2、LNMP提供的LAMP也有SSL配置示例,如果你采用的是Apache架构,也可以参考LNMP提示的SSL配置示例进行手动配置。

 

LNMP安装Let’s Encrypt 免费SSL证书方法

 

Certbot

Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.

I'm using
on
Automated
Advanced

Install

Certbot is packaged in EPEL (Extra Packages for Enterprise Linux). To use Certbot, you must first enable the EPEL repository. On RHEL or Oracle Linux, you must also enable the optional channel.

Note:

If you are using RHEL on EC2, you can enable the optional channel by running:

$ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

After doing this, you can install Certbot by running:

$ sudo yum install certbot-nginx

Get Started

Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs:

$ sudo certbot --nginx

Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonly subcommand:

$ sudo certbot --nginx certonly
To learn more about how to use Certbot read our documentation.

Automating renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron job or systemd timer which runs the following:
certbot renew

Note:

if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

An example cron job might look like this, which will run at noon and midnight every day:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew 

More detailed information and options about renewal can be found in the full documentation.

posted @ 2018-07-16 17:02  Awakenedy  阅读(546)  评论(0编辑  收藏  举报