Configure https for Nginx with Let's Encrypt
With Let's Encrypt, it is no longer difficult to configure the SSL certificate, but Let's Encrypt is still in its initial stage and does not support nginx's automatic configuration. However, we can write a script to configure our nginx server in a semi-automated manner.
The script I used is here to share with you.
------------------------------------------ Split line ------------------------------------------
Free in http://linux.bkjia.com/
The username and password are both www.bkjia.com
The specific download directory is in/July 6, 2016,/July 27, January,/with Let's Encrypt semi-automatic for Nginx configuration https/
For the download method, see
------------------------------------------ Split line ------------------------------------------
What can these scripts do?
- You only need one line of command to apply for an SSL certificate for all nginx domain names pointing to this server.
- Use a Crontab task to automatically renew a certificate
- Simple nginx configuration example. You can redirect all domain names starting with www to A domain name without www, and get an SSL Labs score for A +.
Install
I have integrated Let's Encrypt into this project as a submodule. You only need to clone this project.
git clone https://github.com/songchenwen/nginx-ssl-config-with-letsencrypt.gitcd nginx-ssl-config-with-letsencryptgit submodule initgit submodule update --remote
Apply for certificate editing
ssl/config
Enter your domain name. You can enter multiple domain names. The first domain Name will be used as the Common Name. The certificate is saved in/etc/letsencrypt/live/
Under the directory named "Common Name.
Select a Let's Encrypt server.acme-v01
The server at the beginning is a formal server with a strict limit on the number of requests. We do not recommend that you use it for experiments.acme-staging
The server that starts with "test server" has no limit on the number of requests, but does not check out valid certificates. We recommend that you use this server to test the configuration.
Configure nginx
Let's Encrypt requires an http server to store a file when applying for and renewing the certificate so that it can verify your ownership of the domain name.
Here I will use a simple nginx configuration fileletsencrypt_challenge
To redirect all http requests directed to the domain name of this server to the corresponding https request, leaving only the URLs required for Let's Encrypt verification retained on http.
sudo cp nginx-config/letsencrypt_challenge /etc/nginx/sites-available/letsencrypt_challengesudo ln -s /etc/nginx/sites-available/letsencrypt_challenge /etc/nginx/sites-enabled/letsencrypt_challenge sudo nginx -s reload
Execute scripts
Runssl/apply_all_certs.sh
Follow the prompts to enter your email, and then your certificate will be applied.
bash ssl/apply_all_certs.shsudo nginx -s reload
Nginx configuration file example
Innginx-config
Directory, there are three useful nginx configuration files. Remember to modify them before using them. At least remember to replace my domain name with yours.
letsencrypt_challenge
Redirect all http requests directed to the domain name of this server to the corresponding https request, leaving only the URLs required for Let's Encrypt verification to be kept on http.
www_to_none_www
Redirect https requests for all domain names starting with www to the corresponding domain name without www.
sample_config
Is a simple server configuration file. This configuration file can help you easily get the score on SSL Labs. Put the last}
In the previous line, the HSTS will be enabled when the configuration is uncommented, so that your score will become A +.
Crontab task for automatic certificate renewal
Let's Encrypt issued a certificate only valid for 90 days, so we need a method to automatically renew the certificate. It is enough for a Crontab task to be renewed once every month. This task should be executed with the root permission, because after the renewal, we need to reload the nginx configuration to take effect.
sudo crontab -e
The content of the Crontab task is as follows:
0 2 1 1-12 * /path/to/ssl/renew_all_certs.sh
This article permanently updates the link address: