在AWS EC2 (Amazon Linux 2023) 上结合nginx配置https
一、安装Cerbot
请浏览: https://certbot.eff.org/instructions?ws=nginx&os=pip
二、生成认证
sudo certbot certonly --nginx
经过一些输入Y的操作后,我们可以看到:
Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): your_domain_name Requesting a certificate for your_domain_name Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/your_domain_name/fullchain.pem Key is saved at: /etc/letsencrypt/live/your_domain_name/privkey.pem This certificate expires on 2023-10-20. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le
可以看到,证书和私钥都保存在:/etc/letsencrypt/live/your_domain_name/目录下
三、证书更新
考虑到安全因素,Let’s Encrypt每次签发的证书有效期只有90天。所以,我们必须在有效期过期前,更新Let’s Encrypt证书。
下面的命令是用来测试证书更新,并不会真的生成新的证书:
sudo certbot renew --dry-run
执行成功:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.chattextai.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account registered. Simulating renewal of an existing certificate for www.chattextai.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/www.chattextai.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
接下来是手动更新
sudo certbot renew -v
执行成功:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.chattextai.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certificate is due for renewal, auto-renewing... Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate for www.chattextai.com Performing the following challenges: http-01 challenge for www.chattextai.com Waiting for verification... Cleaning up challenges Reloading nginx server after certificate renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded: /etc/letsencrypt/live/www.chattextai.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
只有手动更新了以后,你才会看到目录/etc/letsencrypt/live/www.chattextai.com/下的证书被更新了。
四、配置nginx
打开conf文件进行编辑:
sudo nano /etc/nginx/nginx.conf
添加ssl相关配置:
server{ listen 80; listen [::]:80; listen 443 ssl;
#setting for ssl listen [::]:443; server_name _; ssl_certificate /etc/letsencrypt/live/your_domain_name/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your_domain_name/privkey.pem; add_header Strict-Transport-Security "max-age=31536000"; #end setting for ssl ............ }
重启nignx:
sudo service nginx restart
