Reference: https://timyang.net/web/https-nginx-ubuntu-howto/
Today took the time to add HTTPS support to the blog and stopped the original HTTP service.
Since the certificate is only required for the website domain name, the free Let's Encrypt certificate service is used.
According to Wikipedia, Let's Encrypt, a digital certificate certification authority launched in the third quarter of 2015, will provide free SSL/TLS certificates to secure websites through an automated process designed to eliminate the current complex process of manually creating and installing certificates . Let's Encrypt is a service provided by the Internet Security Research Group (ISRG, a nonprofit). Major sponsors include the Electronic Frontier Foundation, the Mozilla Foundation, Akamai, and Cisco.
On December 3, 2015, the service entered the public beta phase and was officially open to the public.
On April 12, 2016, the project officially left the Beta stage.
As of September 9, 2016, Let's Encrypt has issued 10 million certificates. Therefore, for most small and medium-sized websites, it is an option worth considering.
The main steps to enable and configure HTTPS are as follows, assuming you already have a functioning HTTP website.
1. Open https://certbot.eff.org/ and select the corresponding operating system and web server. After selecting, the corresponding platform description will appear. Since my system runs on nginx and CentOS (7.x), the description address that appears after selection is https://certbot.eff.org/#centosrhel7-nginx
2. Execute the command and modify the corresponding domain name parameters as needed.
$ sudo yum install certbot
$ letsencrypt certonly --webroot -w /alidata/www/wordpress -d gittoy.com -d www.gittoy.com
3. Modify nginx
to change the related configuration of port 80 to port 443, and add related configuration. (You can modify the .conf file under Nignx)
# listen 80;
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/letsencrypt/live/gittoy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gittoy.com /privkey.pem;Add
80 ports to automatically jump (you can add conf files and modify them)
server {
listen 80;
server_name localhost;
return 301 https://$host$request_uri;
}
4. Restart nginx to make the configuration take effect: nginx -s reload
and access it with chrome, if there is a lock mark before the URL address, it means the setting is successful.
If the page also contains embedded HTTP elements, chrome will still display the i tag, and you can fix it one by one by clicking on the element description after the i.
Also note that Let's Encrypt is only valid for 90 days at a time, but can be updated via a script
test run
letsencrypt renew --dry-run --agree-tos
If the operation is successful, it is recommended to add the official update script to the cron script once and for all.
Check which scripts are automatically executed under the current crontab.
crontab -l
Edit the current crontab
crontab -e
Add the update script below
0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"
The above is updated twice a day and is the official recommendation. The original words are as follows:
Note:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
Why not 90 days or 5 days, because once the server is restarted one day, the crontab will be extended for another 90 days and become invalid. The --renew-hook option will reload the nginx configuration when the certificate is successfully renewed. If it is not added, it needs to be manually loaded or manually restarted nginx.
A problem that many people will encounter is whether crontab is a problem of execution. It is recommended to put a 1-minute printing time in the crontab, which is the most effective method in my personal opinion.
*/1 * * * * echo "$(date)" >>/var/log/datecron.txt
Check to see if it runs automatically.
cat /var/log/datecron.txt
Although Let's Encrypt is a free service, friends who are satisfied with the use of letsencrypt can also go to their website for sponsorship.