{"id":42,"date":"2020-05-18T00:59:12","date_gmt":"2020-05-17T16:59:12","guid":{"rendered":"https:\/\/www.soholab.tw\/?p=42"},"modified":"2020-05-18T00:59:12","modified_gmt":"2020-05-17T16:59:12","slug":"%e8%a8%ad%e5%ae%9a-lets-encrypt-https-nginx-certbot-ssl-%e6%86%91%e8%ad%89%e8%87%aa%e5%8b%95%e6%9b%b4%e6%96%b0","status":"publish","type":"post","link":"https:\/\/soholab.tw\/?p=42","title":{"rendered":"\u8a2d\u5b9a Let&#8217;s Encrypt HTTPS nginx certbot SSL \u6191\u8b49\u81ea\u52d5\u66f4\u65b0"},"content":{"rendered":"\n<p>\u539f\u6587\u51fa\u8655 <a href=\"https:\/\/blog.hellojcc.tw\/setup-https-with-letsencrypt-on-nginx\/\">https:\/\/blog.hellojcc.tw\/setup-https-with-letsencrypt-on-nginx\/<\/a><\/p>\n\n\n\n<p>\u7d04\u4e09\u500b\u6708\u524d\u5e6b\u9019\u500b\u90e8\u843d\u683c\u52a0\u4e0a\u4e86 https\uff0c\u7528\u514d\u8cbb\u7684 Let&#8217;s Encrypt CA (Certicate Authority)\u3002Let&#8217;s Encrypt \u96d6\u7136\u514d\u8cbb\uff0c\u4f46\u6548\u671f\u53ea\u6709 90 \u5929\uff0c\u56e0\u6b64\u6bcf\u4e09\u500b\u6708\u5fc5\u9808\u66f4\u65b0\u6191\u8b49\uff0c<\/p>\n\n\n\n<p>\u6211\u539f\u672c\u662f\u7528 SSL For Free \u9019\u500b\u7db2\u7ad9\u4f86\u7533\u8acb\u548c\u66f4\u65b0\u6191\u8b49\uff0c\u4f46\u5f8c\u4f86\u767c\u73fe Let&#8217;s Encrypt \u7684 client \u2014&nbsp;<a href=\"https:\/\/certbot.eff.org\/\">certbot<\/a>&nbsp;\u76f8\u7576\u597d\u7528\uff0c\u4e5f\u6703\u81ea\u52d5\u5e6b\u4f60\u66f4\u65b0\u6191\u8b49\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u524d\u63d0<\/h1>\n\n\n\n<ul class=\"wp-block-list\"><li>\u6211\u662f\u4f7f\u7528 Ubuntu v16.04 \u64c1\u6709&nbsp;<code>sudo<\/code>&nbsp;\u7684\u6b0a\u9650\uff0c\u4e26\u5b89\u88dd nginx\u3002<\/li><li>\u64c1\u6709\u8a72\u7db2\u57df\u3002<\/li><li>\u8a2d\u5b9a\u597d\u6b63\u78ba\u7684 DNS record\uff0c\u6bd4\u5982\u4f60\u8981\u5e6b&nbsp;<code>www.hellojcc.tw<\/code>&nbsp;\u53ca&nbsp;<code>hellojcc.tw<\/code>&nbsp;\u52a0\u4e0a https\uff0c\u5c31\u5fc5\u9808\u5148\u628a DNS \u8a2d\u5b9a\u5230\u5c0d\u61c9\u7684 IP\uff0c\u56e0\u70ba Let&#8217;s Encrypt \u5728\u767c\u6191\u8b49\u524d\u6703\u5148\u4f86 challenge \u9019\u5169\u500b\u7db2\u57df\u3002<\/li><\/ul>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"certbot\">\u5b89\u88dd certbot<\/h1>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt-get update\nsudo apt-get install software-properties-common\nsudo add-apt-repository ppa:certbot\/certbot # \u8f09\u5165 certbot \u7684 ppa\nsudo apt-get update # \u66f4\u65b0 apt-get\nsudo apt-get install python-certbot-nginx # \u5b89\u88dd python \u7684 certbot for nginx\n<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"httpserver\">\u8a2d\u5b9a http server<\/h1>\n\n\n\n<p>certbot \u5728\u7533\u8acb\u5b8c\u6191\u8b49\u4e4b\u5f8c\uff0c\u6703\u81ea\u52d5\u5e6b\u4f60\u4fee\u6539 nginx \u7684\u8a2d\u5b9a\uff0c\u524d\u63d0\u662f\u4f60\u7684 nginx \u539f\u672c\u5c31\u8981\u6709\u8a72\u7db2\u57df\u7684\u76f8\u95dc\u8a2d\u5b9a\u3002certbot \u6703\u53bb\u627e nginx \u8a2d\u5b9a\u4e2d&nbsp;<code>server<\/code>&nbsp;block \u88e1&nbsp;<code>server_name<\/code>&nbsp;directive \u76f8\u7b26\u7684\u8a2d\u5b9a\u53bb\u4f5c\u4fee\u6539\u3002e.g:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server {\n# server_name \u548c\u7522\u751f\u7684\u6191\u8b49\u7db2\u57df\u76f8\u7b26\uff0ccertbot \u6703\u628a\u8a2d\u5b9a\u52a0\u5728\u9019\u500b block \u88e1\nserver_name hellojcc.tw, www.hellojcc.tw\n}\n<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">\u7522\u751f\u6191\u8b49<\/h1>\n\n\n\n<p>\u76ee\u524d certbot \u5728 Ubuntu \u4e0a\u9762\u9084\u4e0d\u652f\u63f4 wildcard \u7684\u65b9\u5f0f\uff0c\u56e0\u6b64\u5fc5\u9808\u628a\u5b50\u7db2\u57df\u90fd\u900f\u904e&nbsp;<code>-d<\/code>&nbsp;\u52a0\u4e0a\u53bb<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo certbot --nginx -d hellojcc.tw -d www.hellojcc.tw\n<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u9019\u662f\u4f60\u7b2c\u4e00\u6b21\u57f7\u884c certbot \u7684\u8a71\uff0c\u5b83\u6703\u8acb\u4f60\u540c\u610f\u4f7f\u7528\u8005\u689d\u6b3e\u548c\u8f38\u5165 email \u5730\u5740\uff0c\u65b9\u4fbf\u5bc4\u4fe1\u806f\u7d61\u3002<\/p>\n\n\n\n<p>\u63a5\u8457\u6703\u8b93\u4f60\u9078\u9700\u4e0d\u9700\u8981\u4f5c https \u8f49\u5740\u7684\u8a2d\u5b9a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.\n-------------------------------------------------------------------------------\n1: No redirect - Make no further changes to the webserver configuration.\n2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for\nnew sites, or if you're confident your site works on HTTPS. You can undo this\nchange by editing your web server's configuration.\n-------------------------------------------------------------------------------\nSelect the appropriate number &#91;1-2] then &#91;enter] (press 'c' to cancel):\n<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u4f60\u9084\u6c92\u8a2d\u5b9a http redirect \u5230 https \u7684\u8a71\u5c31\u9078 2\u3002<\/p>\n\n\n\n<p>\u770b\u5230\u4e0b\u9762\u9019\u500b\u8a0a\u606f\u5c31\u662f\u5b8c\u6210\u4e86\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>IMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at\n   \/etc\/letsencrypt\/live\/hellojcc.tw\/fullchain.pem. Your cert will\n   expire on 2018-08-01. To obtain a new or tweaked version of this\n   certificate in the future, simply run certbot again with the\n   \"certonly\" option. To non-interactively renew *all* of your\n   certificates, run \"certbot renew\"\n<\/code><\/pre>\n\n\n\n<p>certbot \u6703\u81ea\u52d5 reload nginx\uff0c\u4f60\u53ef\u4ee5\u53bb&nbsp;<a href=\"https:\/\/www.ssllabs.com\/ssltest\/\">SSL Server Test<\/a>&nbsp;\u662f\u6e2c\u8a66\u4f60\u7684\u7db2\u7ad9\uff0c\u5206\u6578\u61c9\u8a72\u6703\u662f A\u3002<\/p>\n\n\n\n<p><small>ps. \u5982\u679c\u4f60\u5e0c\u671b certbot \u4e0d\u8981\u52d5\u4f60\u7684 nginx \u8a2d\u5b9a\uff0c\u53ea\u8981\u53bb\u53d6\u5f97\u6191\u8b49\uff0c\u8acb\u52a0\u4e0a&nbsp;<code>certonly<\/code>&nbsp;\u53c3\u6578\u3002<\/small><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"nginx\">nginx \u8a2d\u5b9a\u8aaa\u660e<\/h3>\n\n\n\n<p>certbot \u6703\u5728\u5c0d\u61c9\u7684 server block \u52a0\u4e0a\u4e0b\u9762\u7684\u8a2d\u5b9a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server {\n# ... other configs\n\n# SSL setting\nlisten 443 ssl;\n\n# set crt and key\nssl_certificate \/etc\/letsencrypt\/live\/hellojcc.tw\/fullchain.pem;\nssl_certificate_key \/etc\/letsencrypt\/live\/hellojcc.tw\/privkey.pem;\n# include \u57fa\u672c\u7684 ssl \u8a2d\u5b9a\ninclude \/etc\/letsencrypt\/options-ssl-nginx.conf;\n# certbot \u4e5f\u6703\u7522\u751f\u4e00\u628a Diffie-Hellman \u5bc6\u9470\nssl_dhparam \/etc\/letsencrypt\/ssl-dhparams.pem;\n\n# ... other configs\n}\n<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">\u81ea\u52d5\u66f4\u65b0\u6191\u8b49<\/h1>\n\n\n\n<p>certbot \u9084\u6703\u81ea\u52d5\u8d77\u4e00\u500b cronjob\uff0c\u6bcf\u500b\u79ae\u62dc\u6703\u53bb\u78ba\u8a8d\u6191\u8b49\u72c0\u614b\uff0c\u5982\u679c\u6548\u671f\u4f4e\u65bc\u4e00\u500b\u6708\u5c31\u6703\u81ea\u52d5\u66f4\u65b0\u6191\u8b49\uff0c\u53ef\u8f38\u5165&nbsp;<code>systemctl list-timers<\/code>&nbsp;\u4f5c\u78ba\u8a8d\u3002<br><img decoding=\"async\" class=\"wp-image-44\" style=\"width: px;\" src=\"https:\/\/soholab.tw\/wp-content\/uploads\/2020\/05\/42-1.png\" alt=\"\"><\/p>\n\n\n\n<p>\u63a5\u8457\u53ef\u4ee5\u8f38\u5165\u4e0b\u5217\u6307\u4ee4 dry run \u4e00\u4e0b\uff0c\u78ba\u8a8d\u66f4\u65b0\u6191\u8b49\u6c92\u6709\u554f\u984c\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo certbot renew --dry-run\n<\/code><\/pre>\n\n\n\n<p>\uff082020\/3\/15 \u66f4\u65b0\uff09<br>\u8dd1 dryrun \u5982\u679c\u51fa\u73fe<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Attempting to renew cert (your_domain.com) from \/etc\/letsencrypt\/renewal\/your_domain.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.\n<\/code><\/pre>\n\n\n\n<p>\u4f60\u53ef\u4ee5 (<a href=\"https:\/\/community.letsencrypt.org\/t\/attempting-to-renew-cert-from-etc-letsencrypt-renewal-domain-conf-produced-an-unexpected-error-urnparamserror-malformed-the-request-message-was-malformed-method-not-allowed-skipping\/110021\/8\">\u53c3\u8003<\/a>)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u78ba\u8a8d python \u662f v3 \u4ee5\u4e0a\npython --version\n# \u5982\u679c\u9084\u662f v2 \u8f38\u5165\u6307\u4ee4\u66f4\u65b0\nupdate-alternatives --install \/usr\/bin\/python python \/usr\/bin\/python3.5 1\n# \u66f4\u65b0 python3-acme\napt update &amp;&amp; apt install --only-upgrade python3-acme\n<\/code><\/pre>\n\n\n\n<p>\u53e6\u5916 certbot \u7684 log \u9810\u8a2d\u8def\u5f91\u5728&nbsp;<code>\/var\/log\/letsencrypt<\/code>\uff0c\u6709\u9700\u8981\u53ef\u4ee5\u53bb\u78ba\u8a8d\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u78ba\u8a8d\u6191\u8b49\u72c0\u614b<\/h1>\n\n\n\n<p>\uff082019\/5\/13 \u66f4\u65b0\uff09<br>\u6709\u6642\u5019\u6703\u6536\u5230 letsencrypt \u5bc4\u4f86\u7684\u300c\u6191\u8b49\u5373\u5c07\u5230\u671f\u901a\u77e5 Let&#8217;s Encrypt certificate expiration notice for domain &#8220;your_domain.com&#8221;\u300d\u3002\u9019\u6642\u5019\u53ef\u4ee5\u8f38\u5165\u4e0b\u9762\u7684\u6307\u4ee4\u78ba\u8a8d\u72c0\u614b\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo certbot certificates<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u539f\u6587\u51fa\u8655 https:\/\/blog.hellojcc.tw\/setup-https-with-letsencr [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-42","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/soholab.tw\/index.php?rest_route=\/wp\/v2\/posts\/42","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/soholab.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/soholab.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/soholab.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/soholab.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=42"}],"version-history":[{"count":0,"href":"https:\/\/soholab.tw\/index.php?rest_route=\/wp\/v2\/posts\/42\/revisions"}],"wp:attachment":[{"href":"https:\/\/soholab.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=42"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/soholab.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=42"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/soholab.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=42"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}