管理 https 证书:Certbot

  • Post category:技术

今天在 github 看到一个 project 用 certbot 来管理证书,试用了下感觉还蛮简单的。主要有:

  • 开始的时候提供一个简版 nginx, 安装完 certbot 会自动修改 nginx conf
  • 自动生成 /etc/cron.d/certbot, 在 root 下面自动运行。

ps: Ubuntu Minimal 版本不带 cron, 所以要额外 sudo apt install cron

安装全过程:

  1. Install nginx:
sudo apt update
sudo apt install -y nginx certbot python3-certbot-nginx
  1. Put the following config into /etc/nginx/sites-available/code-server with sudo:
server {
    listen 80;
    listen [::]:80;
    server_name mydomain.com;

    location / {
      proxy_pass http://localhost:8080/;
      proxy_set_header Host $host;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection upgrade;
      proxy_set_header Accept-Encoding gzip;
    }
}

Remember to replace mydomain.com with your domain name!

  1. Enable the config:
sudo ln -s ../sites-available/code-server /etc/nginx/sites-enabled/code-server
sudo certbot --non-interactive --redirect --agree-tos --nginx -d mydomain.com -m me@example.com

Make sure to substitute me@example.com with your actual email.

Visit https://<your-domain-name> to access code-server. Congratulations!

Continue Reading管理 https 证书:Certbot

两步安装 SSL 证书

  • Post category:技术

前言

之前一直以为商用 SSL 证书是要花钱买的, 原来 Let’s Encrypt 是可以免费领取的. 当然免费的东西只有 90 天有效期, 网上有很多工具帮助你自动续期.

Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X. 509 certificates for Transport Layer Security (TLS) encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time.

我找到的这个工具叫 acme.sh, 简单的bash 脚本, 不需要额外安装。

安装 acme.sh

使用也还蛮简单, 就申请证书, 安装两步。 注意生成的证书得放在 nginx 目录下面

# download acme.sh
curl https://get.acme.sh | sh

# issue certificate
acme.sh --issue -d example.com -w /var/www/.letsencrypt

# install
acme.sh --install-cert -d example.com \
--key-file       /etc/nginx/ssl/site.key  \
--fullchain-file /etc/nginx/ssl/site.cert \
--reloadcmd     "sudo service nginx reload"

update Nginx 配置

server {
        listen 443 ssl;
        ... 

        ssl_certificate /etc/nginx/ssl/site.cert;
        ssl_certificate_key /etc/nginx/ssl/site.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # do not use SSLv3 ref: POODLE
}
server {
    listen 80;
    root /var/www/.letsencrypt/;
    index index.html;

    location / {
            rewrite ^/(.*)$ https://$host$request_uri permanent;
    }

    location ^~ /.well-known/ {
            try_files $uri $uri/ =404;
    }
}

SSL 证书续期

在 install 的时候在 crontab 会自动加上一个 daily job, 每天半夜检查更新证书

30 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null

Continue Reading两步安装 SSL 证书