Step 1: 安裝 Let’s Encrypt
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginxStep 2: 安裝 NGINX
sudo apt update
sudo apt upgrade
sudo apt install nginxStep 3: 設定 DNS,使支援所有的 subdomain
Step 4: 使用 certbot 取得 SSL 憑證
參考下面的例子,並將 example.com 改為自己的 domain (建議將 *.example.com 和 example.com 都加入)。取得憑證當中,必須要增加 DNS 的 TXT 紀錄,如下圖:
hlchang@azure-ubuntu-1:~$ sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com -d example.com --manual --preferred-challenges dns-01 certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
OeecI1rJcyPoI6TDhNZthTInDwQBbrcrTsCWRWKrA64
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-12-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-leStep 5: 編輯 NGINX 的設定檔
加入下面紅字的部分:
hlchang@azure-ubuntu-1:~$ more /etc/nginx/sites-available/example.com
server {
     listen 80;
     listen [::]:80;
     server_name example.com *.example.com;
     return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    root /var/www/wordpress;
    index  index.php;
    server_name example.com *.example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    client_max_body_size 100M;
    autoindex off;
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}
Step 6: 重新啟動 NGINX
hlchang@azure-ubuntu-1:~$ cd /etc/nginx/sites-enabled/
hlchang@azure-ubuntu-1:~$ sudo ln -s ../sites-available/example.com .
hlchang@azure-ubuntu-1:~$ sudo systemctl restart nginx

https://wiki.gslin.org/wiki/Dehydrated
用這個比較方便,不用裝過多的套件
感謝分享