Get Let's Encrypt Cert In Five Minutes

jcc123發表於2017-10-05
原文網址 : https://learnku.com/articles/6294/get-lets-encrypt-cert-in-five-minutes?order_by=created_at&

緣由

想對 PHP 的 SSO 登入走一遍,加深理解,客戶端服務端配置好之後。客戶端點選登入發現
跳轉的服務端是 https 協議,因此我需要去配置一個免費的 CA 證照。鑑於在社群已經有了一個方案連結
並且先前已使用該方法成功配置。但配置過程讓我體驗很不爽(自身的原因),所以看看有沒有更優雅的方法(github 上尋找的)。

1 git 下來(為了描述方便 我下載到/var/www路徑下)

git clone  https://github.com/kaienkira/acme-client-quick.git  /var/www/

2 配置你要驗證的網站

cd acme-client-quick

echo "example.com" >> domain.txt
echo "www.example.com" >> domain.txt

3 修改你的網站配置檔案(為能訪問到並去驗證你的域名)

把這個新增到你的配置檔案中

location /.well-known/acme-challenge/ {
    default_type text/plain;
    alias /var/www/acme-client-quick/work/acme-challenge/;
    try_files $uri $uri/ =404;
}

我的配置檔案(使用的是站長的伺服器配置

server {
    listen 80;

    server_name sso.jc91715.top;

    root /var/www/html/sso.jc91715.top/public;

    index index.html index.htm index.php;
    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    location /.well-known/acme-challenge/ {
        default_type text/plain;
        alias /var/www/acme-client-quick/work/acme-challenge/;
        try_files $uri $uri/ =404;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log /var/log/nginx/sso.jc91715.top-access.log;
    error_log  /var/log/nginx/sso.jc91715.top-error.log error;

    sendfile off;

    client_max_body_size 100m;

    include fastcgi.conf;
    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }   
}

4 驗證你的網站,並生成證照

需要用到80埠

sudo service nginx stop

sudo ./quick-start.sh

5 新增證照到配置檔案

原有的基礎上增加的是

ssl on;
listen 443 ssl;
ssl_certificate /var/www/acme-client-quick/cert/ssl.crt;
ssl_certificate_key /var/www/acme-client-quick/cert/ssl.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;
if ($scheme != "https") {
     return 301 https://$host$request_uri;
}

我的配置檔案

server {
    listen 80;

    ssl on;
    listen 443 ssl;
    ssl_certificate /var/www/acme-client-quick/cert/ssl.crt;
    ssl_certificate_key /var/www/acme-client-quick/cert/ssl.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    if ($scheme != "https") {
         return 301 https://$host$request_uri;
    }

    server_name sso.jc91715.top;
    root /var/www/html/sso.jc91715.top/public;

    index index.html index.htm index.php;
    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /.well-known/acme-challenge/ {
        default_type text/plain;
        alias /var/www/acme-client-quick/work/acme-challenge/;
        try_files $uri $uri/ =404;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log /var/log/nginx/sso.jc91715.top-access.log;
    error_log  /var/log/nginx/sso.jc91715.top-error.log error;

    sendfile off;

    client_max_body_size 100m;

    include fastcgi.conf;
    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }   
}

DONE

本作品採用《CC 協議》,轉載必須註明作者和本文連結
NOT IS BECAUSE I WANT TO WRITE, BUT I WANT TO INCREASE, SO I GO TO WRITE~~

相關文章