Otu esi echekwa Nginx na Lets Encrypt na Ubuntu na Debian
N'ịgbaso nkuzi gara aga Ka anyị Encrypt nkuzi gbasara Apache SSL, n'isiokwu a, anyị ga-atụle otu esi emepụta na wụnye SSL/TLS akwụkwọ efu nke Let's Encrypt CA maka Nginx webserver na Ubuntu ma ọ bụ Debian.
- Chekwaa Apache na Free Let's Encrypt na Ubuntu na Debian
- Wụnye Ka Anyị Encrypt SSL ka Chekwaa Apache na RHEL na CentOS
- Ngalaba edebanyere aha nwere ndekọ DNS dị irè
A
iji rụtụ aka azụ na adreesị IP nke ihe nkesa gị. - Sava webụ Nginx arụnyere nwere SSL na Vhost enyere, ma ọ bụrụ na ị na-eme atụmatụ ịnabata ọtụtụ ngalaba ma ọ bụ ngalaba subdomains.
Kwụpụ 1: Ịwụnye Nginx Web Server
1. Na nzọụkwụ mbụ wụnye sava weebụ Nginx, ọ bụrụ na etinyeghị ya, site na ịnye iwu dị n'okpuru:
$ sudo apt-get install nginx
Kwụpụ 2: Mepụta ka anyị zoo Asambodo SSL maka Nginx
2. Tupu ịmepụta akwụkwọ SSL/TLS n'efu, wụnye Ka anyị Encrypt software na /usr/local/
filesystem hierarchy site n'enyemaka nke git ahịa site n'inye iwu ndị a:
$ sudo apt-get -y install git $ cd /usr/local/ $ sudo git clone https://github.com/letsencrypt/letsencrypt
3. Ọ bụ ezie na usoro nke ịnweta Asambodo maka Nginx na-akpaghị aka, ị ka nwere ike iji aka mepụta ma wụnye akwụkwọ SSL n'efu maka Nginx site na iji Let's Encrypt Standalone plugin.
Usoro a chọrọ ka a ghara iji ọdụ ụgbọ mmiri 80 mee ihe na sistemụ gị maka obere oge ka onye ahịa na-akwado njirimara nkesa tupu ịmepụta asambodo ahụ.
Ọ bụrụ na ị na-agba ọsọ Nginx ugbua, kwụsị ọrụ site n'inye iwu na-esonụ.
$ sudo service nginx stop OR $ sudo systemctl stop nginx
Ọ bụrụ na ị na-arụ ọrụ ọzọ na-ejikọta na ọdụ ụgbọ mmiri 80 kwụsị ọrụ ahụ.
4. Kwenye na ọdụ ụgbọ mmiri 80 bụ n'efu site na iji iwu netstat:
$ sudo netstat -tlpn | grep 80
5. Ugbu a ọ bụ oge ịgba ọsọ letsencrypt
iji nweta Asambodo SSL. Gaa na Ka anyị Encrypt ndekọ ndekọ nke achọtara na/usr/local/letsencrypt usoro ụzọ wee mee iwu letsencrypt-auto site na ịnye nhọrọ --standalone
na -d
ọkọlọtọ maka. ngalaba ọ bụla ma ọ bụ subdomain ịchọrọ ịmepụta akwụkwọ.
$ cd /usr/local/letsencrypt $ sudo ./letsencrypt-auto certonly --standalone -d your_domain.tld
6. Tinye adreesị ozi-e nke Ka anyị Encrypt ga-eji maka mgbake isi furu efu ma ọ bụ ọkwa ngwa ngwa.
7. Kwekọrịta na usoro nke ikike site na ịpị igodo Tinye.
8. N'ikpeazụ, ọ bụrụ na ihe niile gara nke ọma, ozi yiri nseta ihuenyo dị n'okpuru kwesịrị ịpụta na njikwa njedebe gị.
Kwụpụ 3: Wụnye Ka anyị Encrypt SSL Asambodo na Nginx
9. Ugbu a ka emepụtara Asambodo SSL gị bụ oge ịhazi Nginx webserver iji jiri ya. A na-etinye asambodo SSL ọhụrụ na
$ sudo ls /etc/letsencrypt/live/ $ sudo ls -al /etc/letsencrypt/live/caeszar.tk
10. Ọzọ, mepee /etc/nginx/sites-available/default
faịlụ na onye editọ ederede wee gbakwunye ngọngọ na-esonụ mgbe akara mbụ kwuru nke na-akọwa mmalite nke ngọngọ SSL. Jiri nseta ihuenyo dị n'okpuru dị ka nduzi.
$ sudo nano /etc/nginx/sites-enabled/default
Ihe nginx ngọngọ:
# SSL configuration # listen 443 ssl default_server; ssl_certificate /etc/letsencrypt/live/caeszar.tk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/caeszar.tk/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_dhparam /etc/nginx/ssl/dhparams.pem;
Dochie ụkpụrụ ngalaba aha maka asambodo SSL otu a.
11. Na nzọụkwụ na-esote mepụta ike Diffie-Hellman cipher na /etc/nginx/ssl/ directory iji chebe ihe nkesa gị megide Logjam ọgụ site na-agba ọsọ na-esonụ iwu.
$ sudo mkdir /etc/nginx/ssl $ cd /etc/nginx/ssl $ sudo openssl dhparam -out dhparams.pem 2048
12. N'ikpeazụ, malitegharịa Nginx daemon iji gosipụta mgbanwe.
$ sudo systemctl restart nginx
ma nwalee asambodo SSL gị site na ịga na URL dị n'okpuru.
https://www.ssllabs.com/ssltest/analyze.html
Kwụpụ 4: Megharịa akpaaka Ka anyị zoo Asambodo Nginx
13. Asambodo nke Let's Encrypt CA nyere dị irè maka ụbọchị 90. Iji megharịa faịlụ ndị ahụ na-akpaghị aka tupu ụbọchị njedebe, mepụta ssl-renew.sh
bash script n'ime akwụkwọ ndekọ aha /usr/local/bin/
nwere ọdịnaya ndị a.
$ sudo nano /usr/local/bin/ssl-renew.sh
Tinye ọdịnaya ndị a na faịlụ ssl-renew.sh
.
#!/bin/bash cd /usr/local/letsencrypt sudo ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/var/www/html/ -d your_domain.tld sudo systemctl reload nginx exit 0
Dochie mgbanwe --webroot-ụzọ
ka ọ dabara na mgbọrọgwụ akwụkwọ Nginx gị. Jide n'aka na enwere ike ime ihe ederede site na ịnye iwu na-esonụ.
$ sudo chmod +x /usr/local/bin/ssl-renew.sh
14. N'ikpeazụ tinye a cron ọrụ na-agba ọsọ script ọ bụla ọnwa abụọ n'etiti abalị iji jide n'aka na gị akwụkwọ ga-emelite n'ime ihe dị ka 30 ụbọchị tupu ya expires.
$ sudo crontab -e
Tinye ahịrị na-esonụ na ala nke faịlụ ahụ.
0 1 1 */2 * /usr/local/bin/ssl-renew.sh >> /var/log/your_domain.tld-renew.log 2>&1
Ọ bụ ya! Ihe nkesa Nginx gị na-enye ọdịnaya SSL ugbu a site na iji akwụkwọ ikike ka anyị zoo SSL n'efu.