Nginx配置HTTPS访问

简单介绍如何生成https服务所需要的证书、私钥以及部署，文档分别描述了开发时使用的self-signed证书以及线上使用的let’s encrypt免费证书的生成方法

自签名证书

1. 创建证书以及私钥

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

• req: 指定X.509证书签名请求(CSR)管理

• -x509: 生成self-sigend证书

• -nodes: 不使用密码

• -days 365: 证书有效期

• -newkey rsa:2048: 生成证书的同时生成私钥，rsa加密算法，2048位

• -keyout: 私钥的存储路径

• -out: 证书的存储路径

信息填写

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []: example.com (or server_IP_address)
Email Address []:admin@your_domain.com

2. 配置nginx

sudo vi /etc/nginx/sites-enabled/example.com

添加证书以及私钥

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    server_name example.com;

    root /var/www/example.com/html;
    index index.html index.htm index.nginx-debian.html;

    . . .
}

重启nginx，完成

正式证书

1. let’t encrypt安装

sudo git clone https://github.com/letsencrypt/letsencrypt /usr/local/letsencrypt

2. 生成证书以及私钥

生成指定域名证书及密钥

sudo -H /data/app/letsencrypt/letsencrypt-auto certonly --standalone -d www.example.com

letsencrypt需要记录服务器ip，选择“Y”。打开新的命令行窗口，在指定的目录.well-known下创建文件并将指定的内容写入后，在原命令行窗口点击enter键结束

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

BxYgbmNBP0glztPgaevZwzwMSPy2Asd8LRzlyQNnax9.sAK0-w3-GGiCDaAreDXX1rxwm0qQfBfhb-4765BnzRZ

And make it available on your web server at this URL:

http://www.example.com/.well-known/acme-challenge/BxYgbmNBP0glztPgaevZwzwMSPy2Asd8LRzlyQNnax9

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue           # 文件创建后再确认
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your cert will expire on 2019-11-04. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

生成wildcard domain证书及密钥

# 如果嫌单个域名太麻烦，想配置wildcard证书，使用下面的命令
sudo -H /data/app/letsencrypt/letsencrypt-auto certonly --manual --preferred-challenges=dns -d *.example.com

按提示添加dns记录后再点击enter结束

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

AhAGaqohVH8JMAS-jHkS5L_i2J4JCnglUJvY5n2S9qI

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue           # 需添加dns记录
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-11-04. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3. 配置nginx

sudo vi /etc/nginx/sites-enabled/example.com

添加证书以及私钥

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    server_name example.com;

    root /var/www/example.com/html;
    index index.html index.htm index.nginx-debian.html;

    . . .
}

重启nginx，完成

参考文档

How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 18.04
Install Let’s Encrypt to Create SSL Certificates
How to setup Let’s Encrypt for Nginx on Ubuntu 18.04 (including IPv6, HTTP/2 and A+ SLL rating)
Certbot User Guide
letsencrypt man