Ubuntu安裝Nginx簽發免費證書

網域以example.com當範例,
作業系統版本以Ubuntu 18.04為主。
請先更新Ubuntu並安裝Nginx程式。

創建網頁存放位置
mkdir -p /var/www/example.com/html

設定網頁位置存取權限
chown -R $USER:$USER /var/www/example.com/html
chmod -R 755 /var/www/example.com

創建網頁
vi /var/www/example.com/html/index.html

置入網頁Demo內容
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Congratulations</title>
<link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.4/css/bootstrap.min.css">
<script src="//cdn.bootcss.com/jquery/1.11.2/jquery.min.js"></script>
<script src="//cdn.bootcss.com/bootstrap/3.3.4/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container" style="margin-top:9%;">
  <h3>The site was created successfully and this page is automatically generated by the system.</h3>
</div>
</body>
</html>

設定網頁伺服器檔
vi /etc/nginx/sites-available/example.com

置入網頁伺服器檔內容
server {
        listen 80;
        listen [::]:80;

        root /var/www/example.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }
}
server {
listen 80;
listen [::]:80;

server_name example.com;

location / {
return 301 https://www.example.com$request_uri;
}
}

創建網頁伺服器檔連結到啟用站點的位置
ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

開啟下列檔案,刪除server_names_hash_bucket_size的注釋
vi /etc/nginx/nginx.conf

增加certbot的PPA
add-apt-repository ppa:certbot/certbot

安裝Nginx適用的Certbot
apt install python-certbot-nginx

查看Nginx是否有錯誤
nginx -t

重啟Nginx
systemctl reload nginx

簽發免費憑證
certbot --nginx -d www.example.com -d example.com

初次簽發會要求輸入Email,接著同意條文,
成功後會自動將憑證寫入位於sites-available的網頁伺服器內容,
如果需要開啟自動跳轉HTTPS請在
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
詢問下選擇2: Redirect即可。

/*以下操作針對ubuntu 20.04簽發錯誤暫時的解決方案*/
打開configurator.py檔案
vi /usr/lib/python3/dist-packages/certbot_nginx/configurator.py

先鍵入:再接續輸入下列字串替換
%s/challenges.HTTP01, challenges.TLSSNI01/challenges.HTTP01/gc

保存並退出後,再次嘗試簽發憑證
certbot --nginx -d example.com

測試免費證書續簽
certbot renew --dry-run

增加Browser Cache與h2
vi /etc/nginx/sites-available/example.com

依照底下輸入粗體內容
server {

        root /var/www/example.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }
    location ~*  \.(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 365d;
    }

    location ~*  \.(pdf)$ {
        expires 30d;
    }
    listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

h2亦可直接輸入:與下列字串取代
%s/443 ssl;/443 ssl http2;/gc

留言

這個網誌中的熱門文章

華為HUAWEI B525 4G分享器簡易開箱測試

Redmi紅米 Note4x (Qualcomm SD625)啟用VoLTE功能

Hugiga L66長輩機 搭配 亞太 遠傳門號簡易開箱