{"_path":"/docs/3rd/lets-encrypt","_draft":false,"_partial":false,"_empty":false,"title":"Let’s Encrypt","description":"Let’s Encrypt 是一家免费颂发 SSL 证书的机构，我们在宁皓独立开发者训练营中开发的应用，最终需要部署到真正的服务器上，在配置 Web 服务使用 HTTPS 协议的时候，需要用到正规机构颂发的 SSL 证书。","excerpt":{"type":"root","children":[{"type":"element","tag":"h1","props":{"id":"lets-encrypt"},"children":[{"type":"text","value":"Let’s Encrypt"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"Let’s Encrypt 是一家免费颂发 SSL 证书的机构，我们在宁皓独立开发者训练营中开发的应用，最终需要部署到真正的服务器上，在配置 Web 服务使用 HTTPS 协议的时候，需要用到正规机构颂发的 SSL 证书。"}]},{"type":"element","tag":"h2","props":{"id":"流程"},"children":[{"type":"text","value":"流程"}]},{"type":"element","tag":"ol","props":{},"children":[{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"配置域名指向我们的云务器的 IP 地址。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"在云服务器上安装 Nginx。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"配置 Nginx，创建 Web 服务器。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"重载 Nginx 服务，让新的配置生效。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"在云服务器上，安装申请 Let’s Encrypt 证书时需要使用的 certbot 工具。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"执行 certbot 命令申请 Let’s Encrypt 证书。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"重载 Nginx 服务，让新的配置生效。"}]}]},{"type":"element","tag":"h2","props":{"id":"添加域名-dns-记录"},"children":[{"type":"text","value":"添加域名 DNS 记录"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"打开域名服务商提供的域名管理界面，我们需要配置域名的 DNS 记录，记录类型选择 A，这种记录对应的值应该是一个 IP 地址，也就应该就是我们的云服务器的 IP 地址，主机记录可以根据自己的需求设置。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"为了演示，我在自己的 "},{"type":"element","tag":"a","props":{"href":"http://ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"ninghao.net"}]},{"type":"text","value":" 这个域名里配置了一条记录："}]},{"type":"element","tag":"ul","props":{},"children":[{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"记录类型：A"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"主机记录：nid-ssl-demo"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"记录值：42.120.40.68"}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"记录生效以后，"},{"type":"element","tag":"a","props":{"href":"http://nid-ssl-demo.ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"nid-ssl-demo.ninghao.net"}]},{"type":"text","value":" 就会指向我的一台云服务器，地址是 42.120.40.68。\n"},{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image.png"},"children":[]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(1).png"},"children":[]},{"type":"text","value":"\n要确定配置的 DNS 记录已经生效了，可以在终端，使用 ping 这个命令："}]},{"type":"element","tag":"code","props":{"code":"ping nid-ssl-demo.ninghao.net\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"ping nid-ssl-demo.ninghao.net\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"注意观察返回的结果，在域名的后面会出现一个 IP 地址，这个 IP  地址如果是我们之前配置的 DNS  记录里的那个记录值，就说明 DNS 记录已经生效了。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"示例"}]}]},{"type":"element","tag":"code","props":{"code":"PING nid-ssl-demo.ninghao.net (42.120.40.68)\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"PING nid-ssl-demo.ninghao.net (42.120.40.68)\n"}]}]}]},{"type":"element","tag":"h2","props":{"id":"nginx"},"children":[{"type":"text","value":"NGINX"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在宁皓独立开发者训练营中，部署服务端应用、Web前端应用、配置 SSH 通道，这些都会用到使用 NGINX 创建的各种 Web 服务器。"}]},{"type":"element","tag":"h3","props":{"id":"安装与启动-nginx"},"children":[{"type":"text","value":"安装与启动 NGINX"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"先要使用 SSH 登录到远程的云服务器，然后通过执行一些命令来安装与启动 NGINX 服务。"}]},{"type":"element","tag":"h4","props":{"id":"在-ubuntu-系统里安装-nginx"},"children":[{"type":"text","value":"在 Ubuntu 系统里安装 NGINX"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"远程登录到服务器以后，使用 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"apt"}]},{"type":"text","value":" 直接安装一下 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"nginx"}]},{"type":"text","value":"："}]},{"type":"element","tag":"code","props":{"code":"sudo apt install nginx -y\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo apt install nginx -y\n"}]}]}]},{"type":"element","tag":"h4","props":{"id":"设置开机自启动-nginx"},"children":[{"type":"text","value":"设置开机自启动 NGINX"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"让 NGINX 服务可以开机自启动，执行："}]},{"type":"element","tag":"code","props":{"code":"sudo systemctl enable nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo systemctl enable nginx\n"}]}]}]},{"type":"element","tag":"h4","props":{"id":"启动-nginx-服务"},"children":[{"type":"text","value":"启动 NGINX 服务"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"启动 NGINX 服务，执行："}]},{"type":"element","tag":"code","props":{"code":"sudo systemctl start nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo systemctl start nginx\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"启动以后，查看一下 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"nginx"}]},{"type":"text","value":" 这个服务的当前的状态，执行："}]},{"type":"element","tag":"code","props":{"code":"sudo systemctl status nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo systemctl status nginx\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"如果发现 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"Active: active (running)"}]},{"type":"text","value":" ，表示这个服务正在运行。"}]},{"type":"element","tag":"h4","props":{"id":"测试-web-服务"},"children":[{"type":"text","value":"测试 Web 服务"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"Nginx 服务启动之后，它就可以提供 Web 服务了。打开在本地电脑上的浏览器，访问服务器的 IP 地址，或者指向这个 IP  地址的域名，你会看到一个 Nginx 的欢迎页面。注意在地址栏上输入域名或者 IP 地址的时候，要使用 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"http://"}]},{"type":"text","value":" ，不要使用 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"https://"}]},{"type":"text","value":" 。比如："},{"type":"element","tag":"a","props":{"href":"http://xb2-node-api.ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"http://nid-ssl-demo.ninghao.net"}]}]},{"type":"text","value":" 。"}]},{"type":"element","tag":"h3","props":{"id":"创建-nginx-服务器"},"children":[{"type":"text","value":"创建 NGINX 服务器"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"通过 NGINX 的配置文件，可以在一台云服务器上同时创建多个 NGINX 服务器，每个服务器都有自己的一套配置，比如设置服务器监听的端口号，绑定自己的域名，配置服务器的 SSL 证书等等。我们先看一下如何创建一个 NGINX 的 Web  服务器，访问某个域名时，可以得到云服务器某个目录里的资源（各种文件）。"}]},{"type":"element","tag":"h4","props":{"id":"准备资源目录"},"children":[{"type":"text","value":"准备资源目录"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"先在云服务器的某个目录里面新建一个目录，这个目录一会儿会作为 NGINX 的 Web 服务器的主目录。"}]},{"type":"element","tag":"code","props":{"code":"mkdir -p /mnt/nid-ssl-demo\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"mkdir -p /mnt/nid-ssl-demo\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在 /mnt 的下面，新建一个 nid-ssl-demo 目录，一会以儿配置好 NGINX 服务器以后，就可以通过指定的网址访问到这个目录里的资源了。"}]},{"type":"element","tag":"h4","props":{"id":"准备资源"},"children":[{"type":"text","value":"准备资源"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在 Web 服务的资源目录要里，新建一个 HTML 文档。"}]},{"type":"element","tag":"code","props":{"code":"vi /mnt/nid-ssl-demo/index.html\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"vi /mnt/nid-ssl-demo/index.html\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"文件内容如下："}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"/mnt/nid-ssl-demo/index.html"}]}]},{"type":"element","tag":"code","props":{"code":"<html>\n  <head>\n    <meta charset=\"UTF-8\">\n   </head>\n  <body>\n    <h1 style=\"font-weight:200\">\n      宁皓独立开发者训练营 🏕 \n    </h1>\n  </body>\n</html>\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"<html>\n  <head>\n    <meta charset=\"UTF-8\">\n   </head>\n  <body>\n    <h1 style=\"font-weight:200\">\n      宁皓独立开发者训练营 🏕 \n    </h1>\n  </body>\n</html>\n"}]}]}]},{"type":"element","tag":"h4","props":{"id":"创建-nginx-服务器-1"},"children":[{"type":"text","value":"创建 NGINX 服务器"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"通过 NGINX 的配置文件，可以创建需要的各种服务器，比如 Web 服务器，反向代理服务器等等。在 NGINX 的配置文件里，用一个 server 区块就可以定义一个服务器，在这个 server 配置区块里，可以设置服务器监听的端口号，绑定的域名，使用的 SSL 证书等等。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"创建配置文件"}]}]},{"type":"element","tag":"code","props":{"code":"vi /etc/nginx/conf.d/nid-ssl-demo.ninghao.net.conf\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"vi /etc/nginx/conf.d/nid-ssl-demo.ninghao.net.conf\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"文件内容如下："}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"/etc/nginx/conf.d/nid-ssl-demo.ninghao.net.conf"}]}]},{"type":"element","tag":"code","props":{"code":"server {\n  listen 80;\n  server_name nid-ssl-demo.ninghao.net;\n  \n  location / {\n    root /mnt/nid-ssl-demo;\n    index index.html;\n  }\n}\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"server {\n  listen 80;\n  server_name nid-ssl-demo.ninghao.net;\n  \n  location / {\n    root /mnt/nid-ssl-demo;\n    index index.html;\n  }\n}\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"上面这段 NGINX 配置，用 server 区块定义了一个 Web 服务器，监听的端口号是 80，这是 HTTP 协议默认使用的端口号。server_name 指令设置的是绑定在这台服务器上的域名。然后用了一个 location 区块，在里面用 root 指令定义了根目录（资源目录），index 指令设置的是可以默认打开的一些东西，比如 index.html。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"重载 NGINX"}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"添加了新的配置以后需要重载 NGINX 才能生效，执行："}]},{"type":"element","tag":"code","props":{"code":"sudo systemctl reload nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo systemctl reload nginx\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"测试"}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"访问 "},{"type":"element","tag":"a","props":{"href":"http://nid-ssl-demo.ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"nid-ssl-demo.ninghao.net"}]},{"type":"text","value":" 的时候，默认就会获取到云服务器 /mnt/nid-ssl-demo 目录下的 index.html 这个文件。\n"},{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(2).png"},"children":[]},{"type":"text","value":"\n注意在地址栏里的地址的左边，会显示 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"不安全"}]},{"type":"text","value":" ，这是因为当前使用的是 HTTP 协议访问的服务器，如果让这台 Web 服务器支持使用 HTTPS 协议访问，需要先从证书机构那里申请 SSL 证书，然后再配置 NGINX 服务器使用这个 SSL 证书。"}]},{"type":"element","tag":"h2","props":{"id":"certbot"},"children":[{"type":"text","value":"Certbot"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"申请 Let’s Encrypt 颁发的 SSL 证书，可以使用一个叫 Certbot 的命令行工具。Certbot 为不同的平台提供了各自的安装方法，下面我们会在 Ubuntu 系统里安装一下这个工具。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"官方网站"}]},{"type":"text","value":"："},{"type":"element","tag":"a","props":{"href":"https://certbot.eff.org/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"https://certbot.eff.org"}]}]},{"type":"element","tag":"h3","props":{"id":"在-ubuntu-系统里安装-certbot"},"children":[{"type":"text","value":"在 Ubuntu 系统里安装 Certbot"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"登录到使用 Ubuntu 系统的云服务器。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"安装 snapd"}]}]},{"type":"element","tag":"code","props":{"code":"sudo apt install snapd\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo apt install snapd\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"安装 certbot"}]}]},{"type":"element","tag":"code","props":{"code":"sudo snap install --classic certbot\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo snap install --classic certbot\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"设置可在全局执行 certbot 命令"}]}]},{"type":"element","tag":"code","props":{"code":"sudo ln -s /snap/bing/certbot /usr/bin/certbot\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo ln -s /snap/bing/certbot /usr/bin/certbot\n"}]}]}]},{"type":"element","tag":"h3","props":{"id":"用-certbot-申请-lets-encrypt-颂发的-ssl-证书"},"children":[{"type":"text","value":"用 Certbot 申请 Let’s Encrypt 颂发的 SSL 证书"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"首先要确定已经配置好了域名的 DNS  记录，指向我们的云服务器，并在云服务器上安装配置好了 NGINX 服务器。"}]},{"type":"element","tag":"h4","props":{"id":"用-certbot--申请-ssl-证书"},"children":[{"type":"text","value":"用 certbot ** 申请 SSL 证书"}]},{"type":"element","tag":"code","props":{"code":"sudo certbot --nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo certbot --nginx\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"上面这个命令会申请签发 SSL  证书，并且会自动下载安装好申请的 SSL 证书，也就是它会修改我们网站的 NGINX 配置文件，在里面添加使用 SSL 证书需要的配置。"}]},{"type":"element","tag":"h4","props":{"id":"选择要申请-ssl-证书的域名"},"children":[{"type":"text","value":"选择要申请 SSL 证书的域名"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"使用 Certbot 命令申请 SSL 证书时，会根据 NGINX 的服务器来判断可以申请 SSL 证书的域名。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"执行 certbot 命令时会提示我们选择要申请 SSL 证书的域名，输入列出的指定的序号，然后按回车确认。"}]},{"type":"element","tag":"code","props":{"code":"Saving debug log to /var/log/letsencrypt/letsencrypt.log\nPlugins selected: Authenticator nginx, Installer nginx\nStarting new HTTPS connection (1): acme-v02.api.letsencrypt.org\n\nWhich names would you like to activate HTTPS for?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: nid-ssl-demo.ninghao.net\n...\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nSelect the appropriate numbers separated by commas and/or spaces, or leave input\nblank to select all options shown (Enter 'c' to cancel): \n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"Saving debug log to /var/log/letsencrypt/letsencrypt.log\nPlugins selected: Authenticator nginx, Installer nginx\nStarting new HTTPS connection (1): acme-v02.api.letsencrypt.org\n\nWhich names would you like to activate HTTPS for?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: nid-ssl-demo.ninghao.net\n...\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nSelect the appropriate numbers separated by commas and/or spaces, or leave input\nblank to select all options shown (Enter 'c' to cancel): \n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"选择域名序号并按下回车以后，会提示是否需要将 HTTP 的访问重定向到 HTTPS。1 表示不重定向，2 表示重定向，如果选择要重定向 HTTP 的访问，certbot 会修改服务器对应的 NGINX 配置，将服务器的 HTTP 访问重定向到 HTTPS。"}]},{"type":"element","tag":"code","props":{"code":"Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: No redirect - Make no further changes to the webserver configuration.\n2: Redirect - Make all requests redirect to secure HTTPS access...\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nSelect the appropriate number [1-2] then [enter] (press 'c' to cancel): 2\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: No redirect - Make no further changes to the webserver configuration.\n2: Redirect - Make all requests redirect to secure HTTPS access...\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nSelect the appropriate number [1-2] then [enter] (press 'c' to cancel): 2\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"证书颂发成功就提示 Congratulations，申请的证书文件默认会放在 /etc/letsencrypt/live 目录对应的域名目录下面，比如 "},{"type":"element","tag":"a","props":{"href":"http://nid-ssl-demo.ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"nid-ssl-demo.ninghao.net"}]},{"type":"text","value":"，在这个目录里会有两个文件：fullchain.pem 与 privkey.pem。"}]},{"type":"element","tag":"code","props":{"code":"Congratulations! You have successfully enabled https://nid-ssl-demo.ninghao.net\n...\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n   /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/fullchain.pem\n   Your key file has been saved at:\n   /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/privkey.pem\n   Your cert will expire on 2022-08-13. To obtain a new or tweaked\n   version of this certificate in the future, simply run certbot again\n   with the \"certonly\" option. To non-interactively renew *all* of\n   your certificates, run \"certbot renew\"\n - ...\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"Congratulations! You have successfully enabled https://nid-ssl-demo.ninghao.net\n...\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n   /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/fullchain.pem\n   Your key file has been saved at:\n   /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/privkey.pem\n   Your cert will expire on 2022-08-13. To obtain a new or tweaked\n   version of this certificate in the future, simply run certbot again\n   with the \"certonly\" option. To non-interactively renew *all* of\n   your certificates, run \"certbot renew\"\n - ...\n"}]}]}]},{"type":"element","tag":"h4","props":{"id":"观察网站的-nginx-配置文件"},"children":[{"type":"text","value":"观察网站的 NGINX 配置文件"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"观察一下申请了 SSL 证书的域名相关的 NGINX 配置文件，你会发现一些结尾有 # managed by Certbot 注释的配置，这些东西是 certbot 工具加上去的。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"/etc/nginx/conf.d/nid-ssl-demo.ninghao.net.conf"}]}]},{"type":"element","tag":"code","props":{"code":"server {\n  listen 443 ssl; # managed by Certbot\n  server_name nid-ssl-demo.ninghao.net;\n\n  ssl_certificate /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/fullchain.pem; # managed by Certbot\n  ssl_certificate_key /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/privkey.pem; # managed by Certbot\n  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot\n  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot\n\n  location / {\n    root /mnt/nid-ssl-demo;\n    index index.html;\n  }\n}\n\nserver {\n  listen 80;\n  server_name nid-ssl-demo.ninghao.net;\n\n  if ($host = nid-ssl-demo.ninghao.net) {\n    return 301 https://$host$request_uri;\n  } # managed by Certbot\n\n  return 404; # managed by Certbot\n}\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"server {\n  listen 443 ssl; # managed by Certbot\n  server_name nid-ssl-demo.ninghao.net;\n\n  ssl_certificate /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/fullchain.pem; # managed by Certbot\n  ssl_certificate_key /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/privkey.pem; # managed by Certbot\n  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot\n  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot\n\n  location / {\n    root /mnt/nid-ssl-demo;\n    index index.html;\n  }\n}\n\nserver {\n  listen 80;\n  server_name nid-ssl-demo.ninghao.net;\n\n  if ($host = nid-ssl-demo.ninghao.net) {\n    return 301 https://$host$request_uri;\n  } # managed by Certbot\n\n  return 404; # managed by Certbot\n}\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"你会发现在这个 NGINX 的配置文件里有两个 server 区块，一个监听的端口是 443，一个监听的是 80 端口，这个监听 80 端口的服务器里面做了重定向的配置，服务器接收到的访问会被重定向到 "},{"type":"element","tag":"a","props":{"href":"https://%24host%24request_uri/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"https://$host$request_uri"}]},{"type":"text","value":" 。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在监听 443 端口的服务器里面，会多了一些配置信息，这些配置信息是由 certbot 加上去的，主要就是指定 SSL 证书文件的位置，还有一些相关的配置。"}]},{"type":"element","tag":"h4","props":{"id":"用-https-协议访问主机名"},"children":[{"type":"text","value":"用 HTTPS 协议访问主机名"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在浏览器测试一下，使用 HTTPS 协议访问申请并配置了 SSL 证书的主机名。观察地址栏里的地址左侧，会出现一个小锁着图标，说明当前是通过 HTTPS 协议访问的服务。\n"},{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(3).png"},"children":[]},{"type":"text","value":"\n点开小锁头图标，然后点击 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"证书有效"}]},{"type":"text","value":"，会显示 SSL 证书相关信息。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(4).png"},"children":[]},{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(5).png"},"children":[]}]},{"type":"element","tag":"h3","props":{"id":"注意事项"},"children":[{"type":"text","value":"注意事项"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"用 Certbot 申请的 Let’s Encrypt 证书，有效期是 3 个月，也就是 3 个月以后你需要重新执行 certbot 命令为指定的域名申请新的 SSL 证书。"}]}]},"body":{"type":"root","children":[{"type":"element","tag":"h1","props":{"id":"lets-encrypt"},"children":[{"type":"text","value":"Let’s Encrypt"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"Let’s Encrypt 是一家免费颂发 SSL 证书的机构，我们在宁皓独立开发者训练营中开发的应用，最终需要部署到真正的服务器上，在配置 Web 服务使用 HTTPS 协议的时候，需要用到正规机构颂发的 SSL 证书。"}]},{"type":"element","tag":"h2","props":{"id":"流程"},"children":[{"type":"text","value":"流程"}]},{"type":"element","tag":"ol","props":{},"children":[{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"配置域名指向我们的云务器的 IP 地址。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"在云服务器上安装 Nginx。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"配置 Nginx，创建 Web 服务器。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"重载 Nginx 服务，让新的配置生效。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"在云服务器上，安装申请 Let’s Encrypt 证书时需要使用的 certbot 工具。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"执行 certbot 命令申请 Let’s Encrypt 证书。"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"重载 Nginx 服务，让新的配置生效。"}]}]},{"type":"element","tag":"h2","props":{"id":"添加域名-dns-记录"},"children":[{"type":"text","value":"添加域名 DNS 记录"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"打开域名服务商提供的域名管理界面，我们需要配置域名的 DNS 记录，记录类型选择 A，这种记录对应的值应该是一个 IP 地址，也就应该就是我们的云服务器的 IP 地址，主机记录可以根据自己的需求设置。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"为了演示，我在自己的 "},{"type":"element","tag":"a","props":{"href":"http://ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"ninghao.net"}]},{"type":"text","value":" 这个域名里配置了一条记录："}]},{"type":"element","tag":"ul","props":{},"children":[{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"记录类型：A"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"主机记录：nid-ssl-demo"}]},{"type":"element","tag":"li","props":{},"children":[{"type":"text","value":"记录值：42.120.40.68"}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"记录生效以后，"},{"type":"element","tag":"a","props":{"href":"http://nid-ssl-demo.ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"nid-ssl-demo.ninghao.net"}]},{"type":"text","value":" 就会指向我的一台云服务器，地址是 42.120.40.68。\n"},{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image.png"},"children":[]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(1).png"},"children":[]},{"type":"text","value":"\n要确定配置的 DNS 记录已经生效了，可以在终端，使用 ping 这个命令："}]},{"type":"element","tag":"code","props":{"code":"ping nid-ssl-demo.ninghao.net\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"ping nid-ssl-demo.ninghao.net\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"注意观察返回的结果，在域名的后面会出现一个 IP 地址，这个 IP  地址如果是我们之前配置的 DNS  记录里的那个记录值，就说明 DNS 记录已经生效了。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"示例"}]}]},{"type":"element","tag":"code","props":{"code":"PING nid-ssl-demo.ninghao.net (42.120.40.68)\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"PING nid-ssl-demo.ninghao.net (42.120.40.68)\n"}]}]}]},{"type":"element","tag":"h2","props":{"id":"nginx"},"children":[{"type":"text","value":"NGINX"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在宁皓独立开发者训练营中，部署服务端应用、Web前端应用、配置 SSH 通道，这些都会用到使用 NGINX 创建的各种 Web 服务器。"}]},{"type":"element","tag":"h3","props":{"id":"安装与启动-nginx"},"children":[{"type":"text","value":"安装与启动 NGINX"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"先要使用 SSH 登录到远程的云服务器，然后通过执行一些命令来安装与启动 NGINX 服务。"}]},{"type":"element","tag":"h4","props":{"id":"在-ubuntu-系统里安装-nginx"},"children":[{"type":"text","value":"在 Ubuntu 系统里安装 NGINX"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"远程登录到服务器以后，使用 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"apt"}]},{"type":"text","value":" 直接安装一下 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"nginx"}]},{"type":"text","value":"："}]},{"type":"element","tag":"code","props":{"code":"sudo apt install nginx -y\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo apt install nginx -y\n"}]}]}]},{"type":"element","tag":"h4","props":{"id":"设置开机自启动-nginx"},"children":[{"type":"text","value":"设置开机自启动 NGINX"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"让 NGINX 服务可以开机自启动，执行："}]},{"type":"element","tag":"code","props":{"code":"sudo systemctl enable nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo systemctl enable nginx\n"}]}]}]},{"type":"element","tag":"h4","props":{"id":"启动-nginx-服务"},"children":[{"type":"text","value":"启动 NGINX 服务"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"启动 NGINX 服务，执行："}]},{"type":"element","tag":"code","props":{"code":"sudo systemctl start nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo systemctl start nginx\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"启动以后，查看一下 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"nginx"}]},{"type":"text","value":" 这个服务的当前的状态，执行："}]},{"type":"element","tag":"code","props":{"code":"sudo systemctl status nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo systemctl status nginx\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"如果发现 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"Active: active (running)"}]},{"type":"text","value":" ，表示这个服务正在运行。"}]},{"type":"element","tag":"h4","props":{"id":"测试-web-服务"},"children":[{"type":"text","value":"测试 Web 服务"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"Nginx 服务启动之后，它就可以提供 Web 服务了。打开在本地电脑上的浏览器，访问服务器的 IP 地址，或者指向这个 IP  地址的域名，你会看到一个 Nginx 的欢迎页面。注意在地址栏上输入域名或者 IP 地址的时候，要使用 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"http://"}]},{"type":"text","value":" ，不要使用 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"https://"}]},{"type":"text","value":" 。比如："},{"type":"element","tag":"a","props":{"href":"http://xb2-node-api.ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"http://nid-ssl-demo.ninghao.net"}]}]},{"type":"text","value":" 。"}]},{"type":"element","tag":"h3","props":{"id":"创建-nginx-服务器"},"children":[{"type":"text","value":"创建 NGINX 服务器"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"通过 NGINX 的配置文件，可以在一台云服务器上同时创建多个 NGINX 服务器，每个服务器都有自己的一套配置，比如设置服务器监听的端口号，绑定自己的域名，配置服务器的 SSL 证书等等。我们先看一下如何创建一个 NGINX 的 Web  服务器，访问某个域名时，可以得到云服务器某个目录里的资源（各种文件）。"}]},{"type":"element","tag":"h4","props":{"id":"准备资源目录"},"children":[{"type":"text","value":"准备资源目录"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"先在云服务器的某个目录里面新建一个目录，这个目录一会儿会作为 NGINX 的 Web 服务器的主目录。"}]},{"type":"element","tag":"code","props":{"code":"mkdir -p /mnt/nid-ssl-demo\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"mkdir -p /mnt/nid-ssl-demo\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在 /mnt 的下面，新建一个 nid-ssl-demo 目录，一会以儿配置好 NGINX 服务器以后，就可以通过指定的网址访问到这个目录里的资源了。"}]},{"type":"element","tag":"h4","props":{"id":"准备资源"},"children":[{"type":"text","value":"准备资源"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在 Web 服务的资源目录要里，新建一个 HTML 文档。"}]},{"type":"element","tag":"code","props":{"code":"vi /mnt/nid-ssl-demo/index.html\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"vi /mnt/nid-ssl-demo/index.html\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"文件内容如下："}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"/mnt/nid-ssl-demo/index.html"}]}]},{"type":"element","tag":"code","props":{"code":"<html>\n  <head>\n    <meta charset=\"UTF-8\">\n   </head>\n  <body>\n    <h1 style=\"font-weight:200\">\n      宁皓独立开发者训练营 🏕 \n    </h1>\n  </body>\n</html>\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"<html>\n  <head>\n    <meta charset=\"UTF-8\">\n   </head>\n  <body>\n    <h1 style=\"font-weight:200\">\n      宁皓独立开发者训练营 🏕 \n    </h1>\n  </body>\n</html>\n"}]}]}]},{"type":"element","tag":"h4","props":{"id":"创建-nginx-服务器-1"},"children":[{"type":"text","value":"创建 NGINX 服务器"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"通过 NGINX 的配置文件，可以创建需要的各种服务器，比如 Web 服务器，反向代理服务器等等。在 NGINX 的配置文件里，用一个 server 区块就可以定义一个服务器，在这个 server 配置区块里，可以设置服务器监听的端口号，绑定的域名，使用的 SSL 证书等等。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"创建配置文件"}]}]},{"type":"element","tag":"code","props":{"code":"vi /etc/nginx/conf.d/nid-ssl-demo.ninghao.net.conf\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"vi /etc/nginx/conf.d/nid-ssl-demo.ninghao.net.conf\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"文件内容如下："}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"/etc/nginx/conf.d/nid-ssl-demo.ninghao.net.conf"}]}]},{"type":"element","tag":"code","props":{"code":"server {\n  listen 80;\n  server_name nid-ssl-demo.ninghao.net;\n  \n  location / {\n    root /mnt/nid-ssl-demo;\n    index index.html;\n  }\n}\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"server {\n  listen 80;\n  server_name nid-ssl-demo.ninghao.net;\n  \n  location / {\n    root /mnt/nid-ssl-demo;\n    index index.html;\n  }\n}\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"上面这段 NGINX 配置，用 server 区块定义了一个 Web 服务器，监听的端口号是 80，这是 HTTP 协议默认使用的端口号。server_name 指令设置的是绑定在这台服务器上的域名。然后用了一个 location 区块，在里面用 root 指令定义了根目录（资源目录），index 指令设置的是可以默认打开的一些东西，比如 index.html。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"重载 NGINX"}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"添加了新的配置以后需要重载 NGINX 才能生效，执行："}]},{"type":"element","tag":"code","props":{"code":"sudo systemctl reload nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo systemctl reload nginx\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"测试"}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"访问 "},{"type":"element","tag":"a","props":{"href":"http://nid-ssl-demo.ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"nid-ssl-demo.ninghao.net"}]},{"type":"text","value":" 的时候，默认就会获取到云服务器 /mnt/nid-ssl-demo 目录下的 index.html 这个文件。\n"},{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(2).png"},"children":[]},{"type":"text","value":"\n注意在地址栏里的地址的左边，会显示 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"不安全"}]},{"type":"text","value":" ，这是因为当前使用的是 HTTP 协议访问的服务器，如果让这台 Web 服务器支持使用 HTTPS 协议访问，需要先从证书机构那里申请 SSL 证书，然后再配置 NGINX 服务器使用这个 SSL 证书。"}]},{"type":"element","tag":"h2","props":{"id":"certbot"},"children":[{"type":"text","value":"Certbot"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"申请 Let’s Encrypt 颁发的 SSL 证书，可以使用一个叫 Certbot 的命令行工具。Certbot 为不同的平台提供了各自的安装方法，下面我们会在 Ubuntu 系统里安装一下这个工具。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"官方网站"}]},{"type":"text","value":"："},{"type":"element","tag":"a","props":{"href":"https://certbot.eff.org/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"https://certbot.eff.org"}]}]},{"type":"element","tag":"h3","props":{"id":"在-ubuntu-系统里安装-certbot"},"children":[{"type":"text","value":"在 Ubuntu 系统里安装 Certbot"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"登录到使用 Ubuntu 系统的云服务器。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"安装 snapd"}]}]},{"type":"element","tag":"code","props":{"code":"sudo apt install snapd\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo apt install snapd\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"安装 certbot"}]}]},{"type":"element","tag":"code","props":{"code":"sudo snap install --classic certbot\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo snap install --classic certbot\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"strong","props":{},"children":[{"type":"text","value":"设置可在全局执行 certbot 命令"}]}]},{"type":"element","tag":"code","props":{"code":"sudo ln -s /snap/bing/certbot /usr/bin/certbot\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo ln -s /snap/bing/certbot /usr/bin/certbot\n"}]}]}]},{"type":"element","tag":"h3","props":{"id":"用-certbot-申请-lets-encrypt-颂发的-ssl-证书"},"children":[{"type":"text","value":"用 Certbot 申请 Let’s Encrypt 颂发的 SSL 证书"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"首先要确定已经配置好了域名的 DNS  记录，指向我们的云服务器，并在云服务器上安装配置好了 NGINX 服务器。"}]},{"type":"element","tag":"h4","props":{"id":"用-certbot--申请-ssl-证书"},"children":[{"type":"text","value":"用 certbot ** 申请 SSL 证书"}]},{"type":"element","tag":"code","props":{"code":"sudo certbot --nginx\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"sudo certbot --nginx\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"上面这个命令会申请签发 SSL  证书，并且会自动下载安装好申请的 SSL 证书，也就是它会修改我们网站的 NGINX 配置文件，在里面添加使用 SSL 证书需要的配置。"}]},{"type":"element","tag":"h4","props":{"id":"选择要申请-ssl-证书的域名"},"children":[{"type":"text","value":"选择要申请 SSL 证书的域名"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"使用 Certbot 命令申请 SSL 证书时，会根据 NGINX 的服务器来判断可以申请 SSL 证书的域名。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"执行 certbot 命令时会提示我们选择要申请 SSL 证书的域名，输入列出的指定的序号，然后按回车确认。"}]},{"type":"element","tag":"code","props":{"code":"Saving debug log to /var/log/letsencrypt/letsencrypt.log\nPlugins selected: Authenticator nginx, Installer nginx\nStarting new HTTPS connection (1): acme-v02.api.letsencrypt.org\n\nWhich names would you like to activate HTTPS for?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: nid-ssl-demo.ninghao.net\n...\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nSelect the appropriate numbers separated by commas and/or spaces, or leave input\nblank to select all options shown (Enter 'c' to cancel): \n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"Saving debug log to /var/log/letsencrypt/letsencrypt.log\nPlugins selected: Authenticator nginx, Installer nginx\nStarting new HTTPS connection (1): acme-v02.api.letsencrypt.org\n\nWhich names would you like to activate HTTPS for?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: nid-ssl-demo.ninghao.net\n...\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nSelect the appropriate numbers separated by commas and/or spaces, or leave input\nblank to select all options shown (Enter 'c' to cancel): \n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"选择域名序号并按下回车以后，会提示是否需要将 HTTP 的访问重定向到 HTTPS。1 表示不重定向，2 表示重定向，如果选择要重定向 HTTP 的访问，certbot 会修改服务器对应的 NGINX 配置，将服务器的 HTTP 访问重定向到 HTTPS。"}]},{"type":"element","tag":"code","props":{"code":"Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: No redirect - Make no further changes to the webserver configuration.\n2: Redirect - Make all requests redirect to secure HTTPS access...\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nSelect the appropriate number [1-2] then [enter] (press 'c' to cancel): 2\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n1: No redirect - Make no further changes to the webserver configuration.\n2: Redirect - Make all requests redirect to secure HTTPS access...\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nSelect the appropriate number [1-2] then [enter] (press 'c' to cancel): 2\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"证书颂发成功就提示 Congratulations，申请的证书文件默认会放在 /etc/letsencrypt/live 目录对应的域名目录下面，比如 "},{"type":"element","tag":"a","props":{"href":"http://nid-ssl-demo.ninghao.net/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"nid-ssl-demo.ninghao.net"}]},{"type":"text","value":"，在这个目录里会有两个文件：fullchain.pem 与 privkey.pem。"}]},{"type":"element","tag":"code","props":{"code":"Congratulations! You have successfully enabled https://nid-ssl-demo.ninghao.net\n...\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n   /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/fullchain.pem\n   Your key file has been saved at:\n   /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/privkey.pem\n   Your cert will expire on 2022-08-13. To obtain a new or tweaked\n   version of this certificate in the future, simply run certbot again\n   with the \"certonly\" option. To non-interactively renew *all* of\n   your certificates, run \"certbot renew\"\n - ...\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"Congratulations! You have successfully enabled https://nid-ssl-demo.ninghao.net\n...\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n   /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/fullchain.pem\n   Your key file has been saved at:\n   /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/privkey.pem\n   Your cert will expire on 2022-08-13. To obtain a new or tweaked\n   version of this certificate in the future, simply run certbot again\n   with the \"certonly\" option. To non-interactively renew *all* of\n   your certificates, run \"certbot renew\"\n - ...\n"}]}]}]},{"type":"element","tag":"h4","props":{"id":"观察网站的-nginx-配置文件"},"children":[{"type":"text","value":"观察网站的 NGINX 配置文件"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"观察一下申请了 SSL 证书的域名相关的 NGINX 配置文件，你会发现一些结尾有 # managed by Certbot 注释的配置，这些东西是 certbot 工具加上去的。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"/etc/nginx/conf.d/nid-ssl-demo.ninghao.net.conf"}]}]},{"type":"element","tag":"code","props":{"code":"server {\n  listen 443 ssl; # managed by Certbot\n  server_name nid-ssl-demo.ninghao.net;\n\n  ssl_certificate /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/fullchain.pem; # managed by Certbot\n  ssl_certificate_key /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/privkey.pem; # managed by Certbot\n  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot\n  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot\n\n  location / {\n    root /mnt/nid-ssl-demo;\n    index index.html;\n  }\n}\n\nserver {\n  listen 80;\n  server_name nid-ssl-demo.ninghao.net;\n\n  if ($host = nid-ssl-demo.ninghao.net) {\n    return 301 https://$host$request_uri;\n  } # managed by Certbot\n\n  return 404; # managed by Certbot\n}\n"},"children":[{"type":"element","tag":"pre","props":{},"children":[{"type":"element","tag":"code","props":{"__ignoreMap":""},"children":[{"type":"text","value":"server {\n  listen 443 ssl; # managed by Certbot\n  server_name nid-ssl-demo.ninghao.net;\n\n  ssl_certificate /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/fullchain.pem; # managed by Certbot\n  ssl_certificate_key /etc/letsencrypt/live/nid-ssl-demo.ninghao.net/privkey.pem; # managed by Certbot\n  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot\n  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot\n\n  location / {\n    root /mnt/nid-ssl-demo;\n    index index.html;\n  }\n}\n\nserver {\n  listen 80;\n  server_name nid-ssl-demo.ninghao.net;\n\n  if ($host = nid-ssl-demo.ninghao.net) {\n    return 301 https://$host$request_uri;\n  } # managed by Certbot\n\n  return 404; # managed by Certbot\n}\n"}]}]}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"你会发现在这个 NGINX 的配置文件里有两个 server 区块，一个监听的端口是 443，一个监听的是 80 端口，这个监听 80 端口的服务器里面做了重定向的配置，服务器接收到的访问会被重定向到 "},{"type":"element","tag":"a","props":{"href":"https://%24host%24request_uri/","rel":["nofollow","noopener","noreferrer"],"target":"_blank"},"children":[{"type":"text","value":"https://$host$request_uri"}]},{"type":"text","value":" 。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在监听 443 端口的服务器里面，会多了一些配置信息，这些配置信息是由 certbot 加上去的，主要就是指定 SSL 证书文件的位置，还有一些相关的配置。"}]},{"type":"element","tag":"h4","props":{"id":"用-https-协议访问主机名"},"children":[{"type":"text","value":"用 HTTPS 协议访问主机名"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"在浏览器测试一下，使用 HTTPS 协议访问申请并配置了 SSL 证书的主机名。观察地址栏里的地址左侧，会出现一个小锁着图标，说明当前是通过 HTTPS 协议访问的服务。\n"},{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(3).png"},"children":[]},{"type":"text","value":"\n点开小锁头图标，然后点击 "},{"type":"element","tag":"em","props":{},"children":[{"type":"text","value":"证书有效"}]},{"type":"text","value":"，会显示 SSL 证书相关信息。"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(4).png"},"children":[]},{"type":"element","tag":"img","props":{"alt":"","src":"/images/docs/3rd/lets-encrypt/image(5).png"},"children":[]}]},{"type":"element","tag":"h3","props":{"id":"注意事项"},"children":[{"type":"text","value":"注意事项"}]},{"type":"element","tag":"p","props":{},"children":[{"type":"text","value":"用 Certbot 申请的 Let’s Encrypt 证书，有效期是 3 个月，也就是 3 个月以后你需要重新执行 certbot 命令为指定的域名申请新的 SSL 证书。"}]}],"toc":{"title":"","searchDepth":2,"depth":2,"links":[{"id":"流程","depth":2,"text":"流程"},{"id":"添加域名-dns-记录","depth":2,"text":"添加域名 DNS 记录"},{"id":"nginx","depth":2,"text":"NGINX","children":[{"id":"安装与启动-nginx","depth":3,"text":"安装与启动 NGINX"},{"id":"创建-nginx-服务器","depth":3,"text":"创建 NGINX 服务器"}]},{"id":"certbot","depth":2,"text":"Certbot","children":[{"id":"在-ubuntu-系统里安装-certbot","depth":3,"text":"在 Ubuntu 系统里安装 Certbot"},{"id":"用-certbot-申请-lets-encrypt-颂发的-ssl-证书","depth":3,"text":"用 Certbot 申请 Let’s Encrypt 颂发的 SSL 证书"},{"id":"注意事项","depth":3,"text":"注意事项"}]}]}},"_type":"markdown","_id":"content:docs:3.3rd:5.lets-encrypt.md","_source":"content","_file":"docs/3.3rd/5.lets-encrypt.md","_extension":"md"}