为了确保到您的服务器的通信保持安全,我们为自己的域获取一个SSL证书。从Let 's Encrypt中获得一个免费证书,生成一个自签名证书。如何在Ubuntu 18.04中为Nginx创建一个自签名SSL证书。
首先,添加Certbot Ubuntu存储库:
sudo add-apt-repository ppa:certbot/certbot
您需要按回车键才能接受。接下来,用apt安装Certbot的Nginx包:
sudo apt install python-certbot-nginx
Certbot提供了多种通过插件获取SSL证书的方法。Nginx插件将负责重新配置Nginx并在必要时重新加载配置。要使用此插件,请键入以下内容:
sudo certbot --nginx -d [your_domain] -d [www.your_domain]
它certbot与--nginx插件一起运行,-d用于指定我们希望证书有效的名称。
如果这是您第一次运行certbot,将提示您输入电子邮件地址并同意服务条款。完成此操作后,certbot将与Let's Encrypt服务器通信,然后进行质询以验证您是否控制了要为其申请证书的域。
如果成功,certbot将询问您如何配置HTTPS设置。
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
选择您的选择,通常选择2吧,重定向。然后点击ENTER。配置将被更新,并且Nginx将重新加载以获取新设置。certbot会显示一条消息,告诉您该过程已成功完成,并且证书的存储位置:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[your_domain]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[your_domain]/privkey.pem
Your cert will expire on 2018-07-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
如果您按照先决条件中的Nginx安装说明进行操作,则不再需要冗余HTTP配置文件配额:
sudo ufw delete allow 'Nginx HTTP'
接下来就可以进去看看网站了。
https://[your_domain]