使用 Let’s Encrypt 及 Certbot 在 Debian 上的 Nginx 啟用 HTTPS

本篇文章所搭配環境為 Debian 9 + Nginx 並使用架構在 Let’s Encrypt 上的 Certbot 來啟用 HTTPS 。

 

找出各網域所對應的根目錄

先去 /etc/nginx/sites-enabled/default 這個檔案記錄下各子網域所對應的根目錄
例如我的像是這樣
dreambreakerx.com /usr/share/nginx/www
api.dreambreakerx.com /usr/share/nginx/api
blog.dreambreakerx.com /usr/share/nginx/blog

 

安裝 Certbot


apt-get install python-certbot-nginx -t stretch-backports

如果無錯誤請直接跳到設定 Certbot 那個步驟,若是出現
E: The value 'stretch-backports' is invalid for APT::Default-Release as such a release is not available in the sources
請按照 https://backports.debian.org/Instructions/
編輯 /etc/apt/sources.list 這個檔案新增這行
deb http://ftp.debian.org/debian stretch-backports main


pico /etc/apt/sources.list
apt-get update
apt-get install python-certbot-nginx -t stretch-backports

 

設定 Certbot


certbot --authenticator webroot --installer nginx

各項設定請參考下面,需要注意的是我輸入一個空格字元選擇所有的網域,以及最後我設定強制使用 https


Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): example@gmail.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: dreambreakerx.com
2: api.dreambreakerx.com
3: blog.dreambreakerx.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Input the webroot for dreambreakerx.com: (Enter 'c' to cancel): /usr/share/nginx/www

Select the webroot for api.dreambreakerx.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /usr/share/nginx/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Input the webroot for api.dreambreakerx.com: (Enter 'c' to cancel): /usr/share/nginx/api

Select the webroot for blog.dreambreakerx.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /usr/share/nginx/api
3: /usr/share/nginx/www
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Input the webroot for blog.dreambreakerx.com: (Enter 'c' to cancel): /usr/share/nginx/blog

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

接著可以試試新網址,也試試舊網址有沒有轉址到 https

 

自動更新證書

更新時使用這句


certbot renew --dry-run

也可以加入 Cron Job ,讓它每個星期一早上3點30分自動執行


crontab -e
30 3 * * 1 certbot renew --dry-run

 

發表迴響