HTTPs setup - Certbot + Docker + Nginx

weixin_34019929發表於2019-02-02

Background:

Let's Encrypt is a certificate authority that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge,The certificate is valid for 90 days, during which renewal can take place at anytime.
這樣我們就可以用上免費的CA cert來安全expose我們自己的網站或者服務

基本的http和https知識請閱讀https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/的‘背景知識’部分，作者講述的非常很不錯。

Objectives:

通過例子來demo如何生成和使用Internet Security Research Group推出的Let’s Encrypt 免費證照
主要涉及如下：

Docker, docker-compose用來部署nginx
Certbot，用來為域名生成CA證照

Not In Scope

Docker 和docker compose的相關概念和安裝，請參考docker官方文件

Steps:

1. 生成CA證照

安裝Certbot 客戶端

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help

驗證域名所有權
該步驟需要啟動nginx
a. 準備docker-compose file

version: '3.0'
services:
  nginx:
    restart: always
    image: nginx:1.15.6
    ports:
     - 80:80
     - 443:443
    volumes:
     - ./conf.d:/etc/nginx/conf.d
     - ./log:/var/log/nginx
     - ./wwwroot:/var/www
     - /etc/letsencrypt:/etc/letsencrypt

Docker volume的對映關係
./conf.d nginx的配置所在
./log 日誌檔案位置
./wwwroot 專案路徑
/etc/letsencrypt CA cert的父目錄

b. nginx 配置檔案 .conf.d/app.conf

server {
    listen   80;
    server_name   domain.com;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root     /var/www;
    }

    location = /.well-known/acme-challenge/ {
       return 404;
    }
}

PS:
如上兩個location配置是為了通過 Let’s Encrypt 的驗證，驗證域名歸屬

c. 啟動nginx

root@aws-techpoc-c02:~/web# ls conf.d/app.conf
root@aws-techpoc-c02:~/web# ls wwwroot/
index.html
root@aws-techpoc-c02:~/web# docker-compose up -d
Creating network "web_default" with the default driver
Creating web_nginx_1 ...
Creating web_nginx_1 ... done

d. 生成Cert

./certbot-auto certonly -d domain1.com domain2.com

該步驟過程中會自動執行和安裝很多linux的以來包，不用幹預，其中有兩布需要注意：
i.選擇用standalone的方式執行還是webroot，一般80埠已經備用了，無法使用standalone，所以選擇webroot方式，然後輸入webroot的地址，及上面指定的主機專案目錄，如本例，/root/web/wwwroot
2.有一步要求輸入郵箱地址的提示，照著輸入自己的郵箱即可，順利完成的話，螢幕上會有提示資訊。
最後，證照成功成功後，會有如下資訊:
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/<domain.com>/fullchain.pem. Your cert
will expire on xxxx-xx-xxxx. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
至此，證照就生成好了，接下來就可以去配置nginx ssl監聽了

2. 配置SSL監聽 for Nginx

a. 修改nginx配置檔案

server {
        listen   443 ssl;
        server_name  domain.com;
        ssl_certificate        /etc/letsencrypt/live/domain.com/fullchain.pem;
        ssl_certificate_key    /etc/letsencrypt/live/domain.com/privkey.pem;

        location / {
            root /var/www;
            index index.jsp index.html index.htm index.php;
        }

        location /proxy/ {
            root /var/www;
            index index.jsp index.html index.htm index.php;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;

            proxy_pass http://172.19.0.1:8080/;
        }

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {
            root   /usr/share/nginx/html;
        }
}

server {
        listen   80;
        server_name   domain.com www.domain.com;
        return 301 https://$server_name$request_uri;            
}

proxy_pass 指定代理地址，注意代理地址後面有沒有’/‘,區別很大

b. [optional]準備一個測試的html，用來檢測nginx配置是否正常，./wwwroot/index.html

<!DOCTYPE html>
<html>
   <head>
     <title>TEST WebSite</title>
   </head>    
   <body>
       <div>Hello, this is a test web site</div>
    <body>
</html>

c. Reload nginx config

docker container exec <container> nginx -s reload

然後就可以去測試了，https://<domain.com>,如果成功可以顯示那個test html page，如果有問題，請使用docker logs -f <container>,或者檢視日誌目錄先access.log 和 error.log

Q&A:

policy-forbids-issuing-for-name-on-amazon-ec2-domain
issue related post
amazonaws.com happens to be on the blacklist Let’s Encrypt uses for high-risk domain names，及無法使用free cert for aws，可以考慮使用route53

https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/
https://www.jianshu.com/p/c136c7ec2572

nginx docker容器配置https(ssl)
2019-01-19
NginxDockerHTTP
linux環境使用Certbot配置https
2019-01-19
LinuxHTTP
用 Let's Encrypt 和 certbot 搭建 https
2017-12-04
HTTP
使用 Docker CertBot 獲取 SSL 證書
2018-09-18
Docker
手把手教你在Nginx上使用CertBot
2016-06-25
Nginx
Docker安裝Redmine並使用Nginx反向代理為https
2020-01-25
DockerNginxHTTP
推薦一個製作 https 證書的工具 Certbot
2017-12-21
HTTP
申請Let’s Encrypt萬用字元HTTPS證書(certbot版)
2018-03-16
字元HTTP
Nginx配置HTTPS
2018-04-08
NginxHTTP
docker 安裝 wordpress，通過nginx反向代理，繫結域名，配置https
2021-10-02
DockerNginxHTTP
二、Nginx 配置 https
2020-08-01
NginxHTTP
Setup MariaDB Master/Slave Replication for Docker MariaDB
2021-12-13
ASTDocker
Docker配置nginx
2020-08-19
DockerNginx
Docker Nginx映象
2017-10-12
DockerNginx
docker建立nginx
2024-03-28
DockerNginx
Nginx 配置https證書
2019-03-03
NginxHTTP
Nginx配置Https專案
2022-10-13
NginxHTTP
Nginx https證書部署
2017-07-20
NginxHTTP
docker下的nginx
2020-11-22
DockerNginx
docker小結(nginx)
2018-07-04
DockerNginx
docker -nginx2
2024-04-11
DockerNginx
全站HTTPS升級系列（三）nginx配置全站HTTPS
2019-01-11
HTTPNginx
Nginx使用SSL模組配置https
2020-07-21
NginxHTTP
nginx+php-fpm配置HTTPS
2022-03-22
NginxPHPHTTP
Nginx如何配置HTTPS詳解
2023-03-07
NginxHTTP
nginx + https(tomcat2)
2018-03-06
NginxHTTPTomcat
通過 Certbot 安裝 Let's Encrypt 證書，來實現全站的 HTTPS 訪問
2018-11-20
HTTP
透過 Certbot 安裝 Let's Encrypt 證書，來實現全站的 HTTPS 訪問
2018-11-20
HTTP
docker學習6：Docker 安裝 Nginx
2018-05-01
DockerNginx
通過 Certbot 安裝 Let's Encrypt 證書，實現免費的全站 HTTPS 訪問
2021-06-14
HTTP
使用docker安裝nginx
2019-12-08
DockerNginx
docker下安裝Nginx
2019-01-19
DockerNginx
Nginx Configuring HTTPS servers
2019-02-28
NginxHTTPServer
nginx 專案配置 https 訪問
2019-07-09
NginxHTTP
Nginx配置網站預設https
2021-09-09
Nginx網站HTTP
Nginx如何配置Http、Https、WS、WSS？
2021-05-10
NginxHTTP
centos nginx下配置免費https
2018-12-19
CentOSNginxHTTP
nginx配置https協議訪問
2020-10-21
NginxHTTP協議