章文炳的博客 - 如何在 Ubuntu 22.04 上安装和配置 Nginx 和 Let's Encrypt

1. 安装 Certbot 和 Let’s Encrypt 插件

Certbot 是 Let’s Encrypt 的一个客户端，用于从 Let’s Encrypt 自动获取和安装 SSL 证书。运行以下命令安装 Certbot 和 Certbot 的 Nginx 插件：

sudo apt install certbot python3-certbot-nginx

2. 申请和配置泛域名证书

my_domain="textworld.cn"
sudo certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d $my_domain -d *.${my_domain}

在运行上述命令后，Certbot 会给出一些指示，要求你为域名添加一个特定的 DNS TXT 记录。这是为了验证你对该域名的控制权。确保按照给出的指示正确添加 DNS 记录，并等待其生效，然后继续操作。添加的DNS TXT记录需要一定时间生效，请多等待几分钟，再输入回车让Certbot进行验证
完成验证: 一旦 DNS 记录生效并被 Certbot 验证，你的泛域名证书就会被生成和存储在 /etc/letsencrypt/live/${my_domain}/ 目录中。

3.配置 Nginx 使用泛域名证书

本文使用的nginx版本: nginx version: nginx/1.18.0 (Ubuntu)
打开nginx的配置文件

sudo vim /etc/nginx/conf.d/default.conf

指定证书和私钥: 在适当的 server 块中，找到或添加以下行，并确保它们指向你的泛域名证书和私钥的路径：

        ssl on;
        ssl_certificate  /etc/letsencrypt/live/textworld.cn/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/textworld.cn/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
        ssl_prefer_server_ciphers on;

下面是一个完整的https server的nginx配置示例，包含了反向代理。

    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2 default_server;
        server_name  www.textworld.cn;
        root /var/www/hugo_github/public;
        index index.html index.htm index.php;


        ssl on;
        ssl_certificate  /etc/letsencrypt/live/textworld.cn/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/textworld.cn/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
        ssl_prefer_server_ciphers on;

        location / {
          index  index.html index.htm;
          proxy_pass  http://127.0.0.1:8080;
        }
        error_page 404 /404/;
            location = /50x.html {
        }
    }

测试 Nginx 配置:

sudo nginx -t

确保没有错误返回。

重新加载 Nginx:

sudo systemctl reload nginx

现在，你的 Nginx 服务器应该已经成功配置了泛域名证书，并为你的域名及其所有子域名提供了安全的 HTTPS 连接。

自动更新 Let’s Encrypt 证书

当你使用 Let’s Encrypt 证书时，一个常见的问题是如何保证证书的持续有效性。默认情况下，Let’s Encrypt 的证书有效期为 90 天，所以为了确保你的服务不会因为证书过期而中断，最好的做法是自动续期。

sudo certbot certonly --standalone

完整命令的输出如下

lighthouse@VM-16-9-ubuntu:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.textworld.cn,textworld.cn
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/textworld.cn.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for *.textworld.cn and textworld.cn

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/textworld.cn/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/textworld.cn/privkey.pem
This certificate expires on 2024-07-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/textworld.cn/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/textworld.cn/privkey.pem
This certificate expires on 2024-07-25.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le

常见错误

使用certbot的renew命令续签之前申请的通配符域名时遇到报错

Failed to renew certificate textworld.cn with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
--manual-auth-hook