Google+ Followers

2016年1月17日 星期日

試試 Let's Encrypt 免費的 HTTPS/SSL 憑證服務 @ Ubuntu 14.04、Nginx

之前有一台機器不小心誤裝 Ubuntu 14.10 ,然後 Ubuntu 15.10 一出現就沒得更新了!一直晾在那邊!終於把它清乾淨,重新開始,還是裝個 Ubuntu 14.04 吧。以前在 Namecheap 買 domain name,當時是有很便宜的 SSL 方案(一年兩美金),但我連自己產生 key 的密碼都忘了,懶得再重新產生,就試試 Let's Encrypt 吧!由於 Nginx 尚未有配套措施,一切純手工處理:

$ git clone /opt/letsencrypt
$ cd /opt/letsencrypt && ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 --email [email protected] -d your-domain

接著會要求你設置驗證方式,例如在 Web server document root 埋一個檔案,讓 Let's Encrypt 可以驗證 domain 真的是屬於你的。驗證後就搞定,呈現也下資訊:

 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected]
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/your-domain/fullchain.pem. Your cert will
   expire on 2016-04-16. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

接著,就來試試 nginx ssl 設定:

$ sudo vim /etc/nginx/conf.d/default.conf
server {
    listen       80;

    listen  443 ssl;
    ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    server_name  localhost;

$ sudo service nginx restart