Step 1: 安裝 Let’s Encrypt

    sudo add-apt-repository ppa:certbot/certbot
    sudo apt-get update
    sudo apt-get install python-certbot-nginx

    Step 2: 安裝 NGINX

    sudo apt update
    sudo apt upgrade
    sudo apt install nginx

    Step 3: 設定 DNS,使支援所有的 subdomain

    Step 4: 使用 certbot 取得 SSL 憑證

    參考下面的例子,並將 example.com 改為自己的 domain (建議將 *.example.com 和 example.com 都加入)。取得憑證當中,必須要增加 DNS 的 TXT 紀錄,如下圖:

    hlchang@azure-ubuntu-1:~$ sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com -d example.com --manual --preferred-challenges dns-01 certonly
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for example.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: Y
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.example.com with the following value:
    
    OeecI1rJcyPoI6TDhNZthTInDwQBbrcrTsCWRWKrA64
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/example.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/example.com/privkey.pem
       Your cert will expire on 2020-12-05. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le

    Step 5: 編輯 NGINX 的設定檔

    加入下面紅字的部分:

    hlchang@azure-ubuntu-1:~$ more /etc/nginx/sites-available/example.com
    server {
         listen 80;
         listen [::]:80;
         server_name example.com *.example.com;
         return 301 https://$host$request_uri;
    }
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        root /var/www/wordpress;
        index  index.php;
        server_name example.com *.example.com;
    
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
        client_max_body_size 100M;
        autoindex off;
        location / {
            try_files $uri $uri/ /index.php?$args;
        }
    
        location ~ \.php$ {
             include snippets/fastcgi-php.conf;
             fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             include fastcgi_params;
        }
    }

    Step 6: 重新啟動 NGINX

    hlchang@azure-ubuntu-1:~$ cd /etc/nginx/sites-enabled/
    hlchang@azure-ubuntu-1:~$ sudo ln -s ../sites-available/example.com .
    hlchang@azure-ubuntu-1:~$ sudo systemctl restart nginx

    參考資料來源:How to obtain a wildcard ssl certificate from Let’s Encrypt and setup Nginx to use wildcard subdomain

    2 Comments

    發佈回覆給「hlchang」的留言 取消回覆

    發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

    這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料