Deploying Let's Encrypt

随着 Google Chrome, App Storehttps 的强制要求, 加上国内网络运营商对http 劫持的恶劣行径, 网站部署 https 势在必行.

Let's Encrypt 是个免费、自动化、开放的证书签发服务, 它由 Internet Security Research Group (ISRG) 提供, 但是Let's Encrypt 的过期时间为 90 天, 需要过期之前更新证书.

部署

Certbot 是一个 Let's Encrypt 自动部署工具, 可以在证书过期之前自动更新.

以下是 Nginx on Debian 8 (jessie) 部署流程

安装certbot

# 准备工作
$ echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/jessie-backports.list # 添加 jessie-backprots 镜像源
$ sudo apt update

# 安装
$ sudo apt-get install certbot -t jessie-backports

配置nginx

# create root directory
$ sudo mkdir /var/www/example

# nginx sites-enabled exmaple
$ sudo vim /etc/nginx/sites-enabled/example
server {  
  listen 80;                                                                    
  listen [::]:80;

  server_name example.com www.example.com;

  root /var/www/example;
  location /.well-known {
    allow all;  
  }
}
# reload nginx
$ sudo nginx -s reload

运行certbot

# 生成 ca 证书
$ sudo certbot certonly --webroot -w /var/www/example/ -d www.example.com -d example.com

# 验证自动更新
$ sudo certbot renew --dry-run 

# 证书更新后, 需要重载nginx, 才能生效 
# certbot service add renew-hook to reload nginx
sudo /lib/systemd/system/certbot.service  
ExecStart=/usr/bin/certbot -q renew --renew-hook 'nginx -s reload'  
sudo systemctl daemon-reload  

启用 ssl

# nginx sites-enabled exmaple
$ sudo vim /etc/nginx/sites-enabled/example
server {  
  listen 80;                                                                    
  listen [::]:80;
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name example.com www.example.com;

  ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;


  root /var/www/example;
  location /.well-known {
    allow all;  
  }
}

# reload nginx
$ sudo nginx -s reload