- 前置条件准备:
# 安装必要组件
apt update
apt install nginx certbot python3-certbot-nginx
# 确保nginx已启动
systemctl start nginx
systemctl enable nginx
- Nginx基础配置(/etc/nginx/sites-available/yourdomain.com):
创建新的配置文件:
sudo nano /etc/nginx/sites-available/yourdomain.com
```nginx
server {
listen 80;
server_name yourdomain.com; # 替换为您的域名
root /var/www/baogong; # 网站根目录
index index.html index.htm index.php;
location / {
try_files $uri $uri/ =404;
}
}
- 启用新配置:
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
# 检查配置
sudo nginx -t
# 重启Nginx
sudo systemctl restart nginx
3. 申请SSL证书:
```bash
# 使用certbot自动配置nginx并申请证书(选择2)
certbot --nginx -d yourdomain.com
# 或者只申请证书不修改nginx配置
certbot certonly --nginx -d yourdomain.com
- 证书文件位置:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem # 完整证书链
/etc/letsencrypt/live/yourdomain.com/privkey.pem # 私钥
- SSL自动续期设置:
# 测试自动续期
certbot renew --dry-run
# 查看当前续期计划任务
systemctl list-timers certbot.timer
# 确保自动续期服务已启用
systemctl enable certbot.timer
systemctl start certbot.timer
- Nginx SSL配置示例:
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL 优化配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# HSTS配置(可选)
add_header Strict-Transport-Security "max-age=63072000" always;
root /var/www/html;
index index.html index.htm index.php;
location / {
try_files $uri $uri/ =404;
}
}
# HTTP 重定向到 HTTPS
server {
listen 80;
server_name yourdomain.com;
return 301 https://$server_name$request_uri;
}
- 重要注意事项:
- 证书有效期为90天
- Let’s Encrypt建议在到期前30天续期
- certbot会自动创建续期定时任务
- 可以通过SSL Labs测试配置:https://www.ssllabs.com/ssltest/
- 确保防火墙开放80和443端口
- 故障排查:
# 查看certbot日志
journalctl -u certbot.service
# 检查nginx配置
nginx -t
# 查看nginx错误日志
tail -f /var/log/nginx/error.log
- 证书续期回滚:
# 如果续期后出现问题,可以回滚到之前的证书
certbot rollback