如何在Digital Ocean的ubuntu主機上透過certbot配置Let's Encrypt免費且自動續啟用的SSL安全憑證

 








在有一篇簡單介紹了port 443的 https

和基礎密碼學概念

而一個對外網站通常也對於安全認證算是一個門面
就跟豬肉攤有無拿到標示國產標章是類似概念


約2018之後
沒有HTTPS認證的網站預設會被Chrome瀏覽器標記為不安全
這更會影響流量和讓人多願意停留在此網頁上瀏覽的時間



在此我們採用certbot這套工具
Certbot 可在託管主機上執行的指令



sudo add-apt-repository ppa:certbot/certbot




sudo apt-get update





sudo apt install python-certbot-nginx (舊指令)

sudo apt install python3-certbot-nginx (新版本要用這只令)








最後
sudo certbot --nginx -d {domain name} -d www.{domain name}

透過指令會自動幫我們
修改nginx default file的port設定指向443
路徑:/etc/nginx/sites-enabled 將預設80改為443 


當指令一下會有如下output



這裡要小心注意會有兩個問題回應
其中當問到有用戶想要透過 HTTP 80來進入網站時要做的事情
要輸入2
給他重新導向443 HTTPS前綴的網站路徑

此時將網頁重新刷新就會發現本來顯示不安全的
突然變為有憑證的鎖頭外觀

通常是3個月就到期

這裡用
sudo certbot renew --dry-run

測試印出是否會在到期時重新啟用另一個憑證
移除參數 --dry-run 就會正常執行,會覆蓋舊憑證。



完整經過certbot幫我們弄好的 nginx default file配置文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
server {

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    server_name www.costudio.xyz costudio.xyz; # managed by Certbot


	location ^~ /assets/ {
		gzip_static on;
		expires 12h;
		add_header Cache-Control public;
  }

	location / {
		proxy_http_version 1.1;
		proxy_cache_bypass $http_upgrade;

		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection 'upgrade';
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

		proxy_pass http://localhost:3222;
	}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/costudio.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/costudio.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot





}

server {
    if ($host = www.costudio.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = costudio.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
	listen [::]:80 ;
    server_name www.costudio.xyz costudio.xyz;
    return 404; # managed by Certbot




}








Ref:
“certbot” team

Fix “Cannot Add PPA” Error in Ubuntu & Linux Mint


Cannot add PPA: 'ppa:'. Please check that the PPA name or format is correct


Ubuntu无法找到add-apt-repository问题的解决方法






留言

這個網誌中的熱門文章

何謂淨重(Net Weight)、皮重(Tare Weight)與毛重(Gross Weight)

Architecture(架構) 和 Framework(框架) 有何不同?_軟體設計前的事前規劃的藍圖概念

經得起原始碼資安弱點掃描的程式設計習慣培養(五)_Missing HSTS Header