Ịtọlite HTTPS na Let's Encrypt SSL Certificate Maka Nginx na RHEL/CentOS 7/6
N'ịgbaso usoro nke mbụ Ka anyị Encrypt gbasara Apache ma ọ bụ sava weebụ Nginx nwere modul SSL/TLS, akụkọ a anyị ga-eduzi gị otu esi ewepụta ma wụnye asambodo SSL/TLS nke enwetara n'efu n'aka Let's Encrypt Certificate Authority nke anyị ga-eji. iji chekwaa azụmahịa Nginx webserver HTTP na CentOS/RHEL 7/6 na nkesa Fedora.
Ọ bụrụ na ị na-achọ ịwụnye Let's Encrypt for Apache na RHEL/CentOS 7/6 na Fedora nkesa, soro ntuziaka a n'okpuru:
- Ngalaba aha edebanyere aha nwere ndekọ DNS bara uru iji rụtụ aka azụ na adreesị IP ọha nke sava.
- Sava webụ Nginx arụnyere na SSL nyeere yana mebere ndị ọbịa Virtual (naanị maka ọtụtụ ngalaba ma ọ bụ nnabata subdomains).
Kwụpụ 1: Wụnye Nginx Web Server
1. Na nzọụkwụ mbụ, ọ bụrụ na i nwebeghị Nginx daemon, nye iwu ndị dị n'okpuru na ikike mgbọrọgwụ iji wụnye Nginx webserver site na Epel repositories:
# yum install epel-release # yum install nginx
Kwụpụ 2: Budata ma ọ bụ Clone Free Ka anyị zoo Asambodo SSL
2. Ụzọ kachasị ngwa ngwa nke ịwụnye Let's Encrypt ahịa na sistemụ Linux site na imechi ngwugwu site na ebe nchekwa github.
Nke mbụ, tinye onye ahịa git na sistemụ site na iji iwu dị n'okpuru:
# yum install git
3. Mgbe etinyere git client, gbanwee ndekọ gaa na /optụzọ wee dọpụta Ka anyị Encrypt software site na ịme iwu ndị a:
# cd /opt # git clone https://github.com/letsencrypt/letsencrypt
Kwụpụ 3: Mepụta Asambodo SSL n'efu maka Nginx
4. Usoro nke inweta SSL/TLS Asambodo n'efu maka Nginx ga-eme aka site na iji Let's Encrypt Standalone plugin.
Usoro a chọrọ na ọdụ ụgbọ mmiri 80 ga-abụ n'efu n'oge Ka anyị Encrypt ahịa kwadoro njirimara nkesa wee mepụta asambodo.
Ya mere, ọ bụrụ na Nginx na-agba ọsọ, kwụsị daemon na iwu na-esonụ ma mee ss ike iji gosi na ọdụ ụgbọ mmiri 80 adịghịzi eji na nchịkọta netwọk.
# service nginx stop # systemctl stop nginx # ss -tln
5. Ugbu a bụ oge ịnweta Asambodo SSL n'efu site na Ka anyị ezoro ezo. Gaa na Ka anyị Encrypt ndekọ nwụnye, ma ọ bụrụ na ịnọbeghị ebe ahụ, wee mee iwu letsencrypt-auto na nhọrọ --standalone na -d ọkọlọtọ maka ngalaba ma ọ bụ subdomain ọ bụla ịchọrọ ịmepụta akwụkwọ dị ka atụpụtara na atụ n'okpuru.
# cd /opt # ./letsencrypt-auto certonly --standalone -d your_domain.tld -d www.yourdomain.tld
6. Mgbe etinyere usoro nchịkọta na ịdabere na igwe gị, Ka anyị Encrypt ga-akpali gị ịbanye na akaụntụ gị nke a ga-eji maka mgbake isi furu efu ma ọ bụ ọkwa ọkwa ngwa ngwa.
7. Ọzọ ị ga-ekwenye na usoro ikike site na ịpị igodo Tinye.
8. N'ikpeazụ, ọ bụrụ na ihe niile na-aga dị ka o kwesịrị, a ga-egosi ozi ekele ozi na gị bash ọnụ. Ozi a ga-egosipụtakwa mgbe asambodo ga-ekubi ume.
Kwụpụ 4: Wụnye Ka anyị Encrypt SSL Asambodo na Nginx
9. Ugbu a ị nwere Asambodo SSL/TLS n'efu, ọ bụ oge itinye ya na sava weebụ Nginx ka ngalaba gị wee jiri ya.
A na-etinye asambodo SSL ọhụrụ niile na
# sudo ls /etc/letsencrypt/live/ # sudo ls -al /etc/letsencrypt/live/your_domain.tld
10. Iji wụnye akwụkwọ faịlụ na Nginx na-enyere SSL aka, mepee
# vi /etc/nginx/nginx.conf
Nginx SSL ihe ndekọ:
# SSL configuration listen 443 ssl default_server; ssl_certificate /etc/letsencrypt/live/your_domain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your_domain.tld/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
Dochie eriri aha ngalaba maka asambodo SSL ka ọ dabara na ngalaba nke gị.
11. N'ikpeazụ, Malitegharịa ekwentị Nginx ọrụ na gaa na gị na ngalaba site HTTPS Protocol na https://yourdomain. Ibe ahụ kwesịrị ibu nke ọma, na-enweghị njehie akwụkwọ ọ bụla.
# systemctl restart nginx # service nginx restart
12. Iji nyochaa SSL/TLS akwụkwọ na nzizi ya gaa na njikọ ndị a:
https://www.ssllabs.com/ssltest/analyze.html
13. Ọ bụrụ na ị nweta ọkwa na ihe nkesa gị na-akwado mgbanwe igodo DH na-adịghị ike yana ọkwa ọkwa B, mepụta ọhụrụ Diffie-Hellman cipher na /etc/nginx/ssl/ directory iji chebe ihe nkesa gị megide mwakpo Logjam. na-eme iwu ndị a.
# mkdir /etc/nginx/ssl # cd /etc/nginx/ssl # openssl dhparam -out dhparams.pem 4096
N'ihe atụ a, anyị ejirila igodo 4096, nke na-ewe ogologo oge iji mepụta ma tinyekwuo ihe na ihe nkesa gị yana na aka SSL.
Ọ bụrụ na ọnweghị mkpa doro anya iji igodo ogologo oge a ma ị gaghị atụ ụjọ, ị ga-echekwa ya na igodo 2048.
14. Mgbe emechara igodo DH, mepee faịlụ nhazi Nginx wee gbakwunye okwu ndị dị n'okpuru mgbe akara ssl_ciphers iji tinye igodo DH wee bulie ọkwa nchekwa nke ngalaba gị gaa na A+ ọkwa.
# vi /etc/nginx/nginx.conf
Tinye ihe mgbochi na-esonụ na Nginx.conf:
ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_session_timeout 30m; ssl_session_cache shared:SSL:10m; ssl_buffer_size 8k; add_header Strict-Transport-Security max-age=31536000;
15. Malitegharịa ekwentị Nginx ọrụ ka itinye mgbanwe ma nwalee gị SSL akwụkwọ site na-ekpochapụ gara aga nsonaazụ cache si njikọ a kpọtụrụ aha n'elu.
# systemctl restart nginx # service nginx restart
Kwụpụ 5: Megharịa Nginx n'efu na akpaaka na-ahapụ asambodo SSL zoro ezo
16. Ka anyị Encrypt CA wepụta asambodo SSL/TLS n'efu maka ụbọchị 90. Enwere ike iji aka megharịa asambodo ma tinye n'ọrụ tupu njedebe site na iji webroot ngwa mgbakwunye, na-akwụsịghị sava weebụ gị, site na ịnye iwu ndị a:
# ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d yourdomain.tld -d www.yourdomain.tld # systemctl reload nginx
Mgbe ị na-eme iwu a dị n'elu, jide n'aka na ị ga-edochi webroot-ụzọ ka ọ dabara na mgbọrọgwụ akwụkwọ sava weebụ gị, nke nkwupụta mgbọrọgwụ Nginx kwuru.
17. Iji akpaaka megharia akwụkwọ tupu ya ekubie ume mepụta nke a bash script si github erikaheidi na/usr/local/bin/ndekọ na tinye n'okpuru ọdịnaya (edemede ọ bụ ubé gbanwetụrụ na-egosipụta Nginx ntọala).
# vi /usr/local/bin/cert-renew
Tinye ahịrị ndị a na faịlụ cert-emegharia.
#!/bin/bash
webpath='/usr/share/nginx/html/'
domain=$1
le_path='/opt/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;
get_domain_list(){
certdomain=$1
config_file="$le_conf/renewal/$certdomain.conf"
if [ ! -f $config_file ] ; then
echo "[ERROR] The config file for the certificate $certdomain was not found."
exit 1;
fi
domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")
last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')
if [ "${last_char}" = "," ]; then
domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')
fi
echo $domains;
}
if [ -z "$domain" ] ; then
echo "[ERROR] you must provide the domain name for the certificate renewal."
exit 1;
fi
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [ ! -f $cert_file ]; then
echo "[ERROR] certificate file not found for domain $domain."
exit 1;
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
echo "The certificate is up to date, no need for renewal ($days_exp days left)."
exit 0;
else
echo "The certificate for $domain is about to expire soon. Starting renewal request..."
domain_list=$( get_domain_list $domain )
"$le_path"/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=”$webpath” --domains "${domain_list}"
echo "Reloading Nginx..."
sudo systemctl reload nginx
echo "Renewal process finished for domain $domain"
exit 0;
fi
18. Dochie mgbanwe $webpath site na mmalite nke edemede ka ọ dabara na mgbọrọgwụ akwụkwọ Nginx gị. Gbaa mbọ hụ na enwere ike ime ihe ederede na arụnyere ihe mgbako bc na sistemụ gị site na ịnye iwu ndị a.
# chmod +x /usr/local/bin/cert-renew # yum install bc
Ị nwere ike nwalee edemede megide ngalaba gị site n'inye iwu a:
# /usr/local/bin/cert-renew yourdomain.tld
19. N'ikpeazụ, na-agba ọsọ na akwụkwọ ọhụrụ usoro na-akpaghị aka, tinye ọhụrụ cron ọrụ igbu script kwa izu ka imelite akwụkwọ n'ime 30 ụbọchị tupu ngafe ụbọchị.
# crontab -e
Tinye ahịrị na-esonụ na ala nke faịlụ ahụ.
@weekly /usr/local/bin/cert-renew your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1
Ọ gwụla! Ugbu a ihe nkesa Nginx nwere ike ibuga ọdịnaya webụ echekwara na SSL/TLS ka anyị zoo akwụkwọ na webụsaịtị gị n'efu.