如何在硬重定向 https 域上引导 certbot?

如何在硬重定向 https 域上引导 certbot?

我有一个有效的 Nginx 配置:

  1. 执行从 http 到 https 的硬重定向 (301)

  2. 此外,忽略 http 上的子路径(http://www.example.com/ANY/THING重定向至纯文本https://example.com

  3. 通过 https 提供应用程序

我如何修改配置文件以便能够:

  • 使用 certbot/Let's Encrypt 生成 HTTPS 证书

  • 90 天内certbot renew无需编辑配置即可运行

答案1

此示例使用静态根而不是应用程序。location /根据需要替换 HTTPS 部分中的块...

1)创建conf文件(注意ssl_certificate行被注释掉)

server {
    # naive redirect of HTTP to HTTPS
    server_name example.com;

    listen *:80;
    listen [::]:80;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/letsencrypt;
    }

    location / {
        return 301 https://example.com;
    }
}

server {
    # main server block
    server_name example.com;

    # SSL configuration
    listen 443 ssl;
    listen [::]:443 ssl;
    # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    root /var/www/html;
    index index.html index.htm;

    location / {
        # replace this with directives for your application
        try_files $uri $uri.html $uri/ =404;
    }

}

2)运行 certbot

certbot certonly --authenticator webroot --webroot-path /var/www/letsencrypt -d example.com

3) 更新 conf 文件。取消注释 ssl_certificate 行:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

4)重启nginx

service nginx restart

5)测试更新(强制更新,而不是试运行)

certbot renew --force-renewal

6)90天后正常续订……

certbot renew

相关内容