試試 Let's Encrypt 免費的 HTTPS/SSL 憑證服務 @ Ubuntu 14.04、Nginx

之前有一台機器不小心誤裝 Ubuntu 14.10 ，然後 Ubuntu 15.10 一出現就沒得更新了！一直晾在那邊！終於把它清乾淨，重新開始，還是裝個 Ubuntu 14.04 吧。以前在 Namecheap 買 domain name，當時是有很便宜的 SSL 方案（一年兩美金），但我連自己產生 key 的密碼都忘了，懶得再重新產生，就試試 Let's Encrypt 吧！由於 Nginx 尚未有配套措施，一切純手工處理：

$ git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ cd /opt/letsencrypt && ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 --email admin@your-email-domain -d your-domain

接著會要求你設置驗證方式，例如在 Web server document root 埋一個檔案，讓 Let's Encrypt 可以驗證 domain 真的是屬於你的。驗證後就搞定，呈現也下資訊：

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to admin@your-email-domain.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/your-domain/fullchain.pem. Your cert will
   expire on 2016-04-16. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

接著，就來試試 nginx ssl 設定：

$ sudo vim /etc/nginx/conf.d/default.conf
server {
    listen       80;

    listen  443 ssl;
    ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    server_name  localhost;
...

$ sudo service nginx restart

搞定