Let’s Encrypt简介

HTTPS加密已经成为了网站的标配,一般域名服务商会提供付费的SSL证书以供使用。Let’s Encrypt是一个提供证书授权的机构,使用它可以免费的SSL证书以实现对网站的HTTPS加密。

certbot是Let’s Encrypt官方推荐的工具,通过它能够很方便地自动获取SSL证书。

配置DNS

在生成证书前,需要先正确地把server地址配置到域名服务商提供的DNS服务中。例如使用Namecheap:

Domain List中选择Advanced DNS,然后选择HOST RECORDS,添加如下条目:

Type Host Value TTL
A Record @ server-ip 5 min

Domain中的REDIRECT DOMAIN填写如下内容,使得自动重定向到https:

DNS routing

liuyaqiu.io –> https://liuyaqiu.io/

获取证书

1
2

sudo apt install certbot  
certbot certonly --standalone -d example.com

将会在/etc/letsencrypt/live/example.com生成证书文件。

1
2

ls /etc/letsencrypt/live/example.com  
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Nginx配置

nginx配置文件为/etc/nginx/site-enabled/default,其相关配置如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

    server {
      listen 443 ssl;
      listen [::]:443 ssl;
      #listen [::]:80 default_server;

      # SSL configuration
      #
      # listen 443 ssl default_server;
      # listen [::]:443 ssl default_server;
      #
      # Note: You should disable gzip for SSL traffic.
      # See: https://bugs.debian.org/773332
      #
      # Read up on ssl_ciphers to ensure a secure configuration.
      # See: https://bugs.debian.org/765782
      #
      # Self signed certs generated by the ssl-cert package
      # Don't use them in a production server!
      #
      # include snippets/snakeoil.conf;

      #root /var/www/html;
      root /path/of/website/;

      # Add index.php to the list if you are using PHP
      index index.html index.htm index.nginx-debian.html;

      server_name example.com;
      ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
      ssl_prefer_server_ciphers on;
      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

      location / {
          # First attempt to serve request as file, then
          # as directory, then fall back to displaying a 404.
          alias /path/of/website/;
          try_files $uri $uri/ =404;
        }

      # pass PHP scripts to FastCGI server
      #
      #location ~ \.php$ {
        # include snippets/fastcgi-php.conf;
        #
        # # With php-fpm (or other unix sockets):
        # fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        # # With php-cgi (or other tcp sockets):
        # fastcgi_pass 127.0.0.1:9000;
        #}

      # deny access to .htaccess files, if Apache's document root
      # concurs with nginx's one
      #
      #location ~ /\.ht {
        # deny all;
        #}
    }

注意其中的ssl_certificatessl_certificate_key设置为相应证书文件的路径即可。

正确配置后,重启服务即可:

1

sudo service nginx restart

更新证书

Let’s Encrypt提供的免费证书90天后将会到期,需要在到期前续期:

1

certbot renew --dry-run

注意对于standalone模式生成的证书,在更新时需要先关闭nginx服务。

Nginx服务报错

启动nginx服务时报错:

nginx.service: Failed to read PID from file /run/nginx.pid: Invalid argument

这是一个nginx的bug,可以通过如下方式解决:

1
2
3
4

mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx

调整服务器打开文件数

作为net服务器,应该特别设置ulimit以保证系统允许打开的文件数量足够多,从而使得客户端不会卡顿,其默认值是1024,推荐设置为最小8192。

1
2
3
4

#将最大打开文件数目设置为16384
ulimit -n 16384
#显示所有ulimit设置信息
ulimit -a