我有一个有效的 Nginx 配置:
执行从 http 到 https 的硬重定向 (301)
此外,忽略 http 上的子路径(http://www.example.com/ANY/THING重定向至纯文本https://example.com)
通过 https 提供应用程序
我如何修改配置文件以便能够:
使用 certbot/Let's Encrypt 生成 HTTPS 证书
90 天内
certbot renew
无需编辑配置即可运行
答案1
此示例使用静态根而不是应用程序。location /
根据需要替换 HTTPS 部分中的块...
1)创建conf文件(注意ssl_certificate
行被注释掉)
server {
# naive redirect of HTTP to HTTPS
server_name example.com;
listen *:80;
listen [::]:80;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
location / {
return 301 https://example.com;
}
}
server {
# main server block
server_name example.com;
# SSL configuration
listen 443 ssl;
listen [::]:443 ssl;
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /var/www/html;
index index.html index.htm;
location / {
# replace this with directives for your application
try_files $uri $uri.html $uri/ =404;
}
}
2)运行 certbot
certbot certonly --authenticator webroot --webroot-path /var/www/letsencrypt -d example.com
3) 更新 conf 文件。取消注释 ssl_certificate 行:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
4)重启nginx
service nginx restart
5)测试更新(强制更新,而不是试运行)
certbot renew --force-renewal
6)90天后正常续订……
certbot renew