LNMP - 已有站点添加SSL证书/免费Let's Encrypt证书方法

ssl

Posted by ivo on February 22, 2018

本文部分引用自https://www.laobuluo.com/338.html

在之前的LNMP一键脚本中,是没有自带SSL证书安装功能的,从V1.4开始带有这个功能,对于站长用户来说方便很多,我们可以在添加站点的时候直接安装第三方购买的SSL证书,也可以使用免费Let’s Encrypt证书。同时,我们也可以将开始并没有使用SSL证书的网站在不动网站结构和内容的前提下只添加SSL证书。

[root@host wwwroot]# lnmp ssl add
+-------------------------------------------+
|    Manager for LNMP, Written by Licess    |
+-------------------------------------------+
|              https://lnmp.org             |
+-------------------------------------------+
Please enter domain(example: www.lnmp.org): ezlost.com
 Your domain: ezlost.com
Enter more domain name(example: lnmp.org *.lnmp.org): 
Please enter the directory for domain ezlost.com: /home/wwwroot/ezlost.com
Allow Rewrite rule? (y/n) y
Please enter the rewrite of programme, 
wordpress,discuzx,typecho,thinkphp,laravel,codeigniter,yii2 rewrite was exist.
(Default rewrite: other): wordpress
You choose rewrite: wordpress
Allow access log? (y/n) y
Enter access log filename(Default:ezlost.com.log): 
You access log filename: ezlost.com.log
Enable PHP Pathinfo? (y/n) y
Enable pathinfo.
1: Use your own SSL Certificate and Key
2: Use Let's Encrypt to create SSL Certificate and Key
Enter 1 or 2: 2
It will be processed automatically.
--2018-02-22 14:04:42--  https://soft.vpser.net/lib/acme.sh/latest.tar.gz
Resolving soft.vpser.net (soft.vpser.net)... 45.34.93.228, 2600:3c01::f03c:91ff:fe92:1a06
Connecting to soft.vpser.net (soft.vpser.net)|45.34.93.228|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 85854 (84K) [application/octet-stream]
Saving to: ‘latest.tar.gz’

100%[======================================>] 85,854      --.-K/s   in 0.001s  

2018-02-22 14:04:42 (69.5 MB/s) - ‘latest.tar.gz’ saved [85854/85854]

[Thu Feb 22 14:04:42 CST 2018] It is recommended to install socat first.
[Thu Feb 22 14:04:42 CST 2018] We use socat for standalone server if you use standalone mode.
[Thu Feb 22 14:04:42 CST 2018] If you don't use standalone mode, just ignore this warning.
[Thu Feb 22 14:04:42 CST 2018] Installing to /usr/local/acme.sh
[Thu Feb 22 14:04:42 CST 2018] Installed to /usr/local/acme.sh/acme.sh
[Thu Feb 22 14:04:42 CST 2018] Installing alias to '/root/.bashrc'
[Thu Feb 22 14:04:42 CST 2018] OK, Close and reopen your terminal to start using acme.sh
[Thu Feb 22 14:04:42 CST 2018] Installing alias to '/root/.cshrc'
[Thu Feb 22 14:04:42 CST 2018] Installing alias to '/root/.tcshrc'
[Thu Feb 22 14:04:42 CST 2018] Installing cron job
no crontab for root
no crontab for root
[Thu Feb 22 14:04:42 CST 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Feb 22 14:04:43 CST 2018] OK
Starting create SSL Certificate use Let's Encrypt...
[Thu Feb 22 14:04:43 CST 2018] Registering account
[Thu Feb 22 14:04:44 CST 2018] Registered
[Thu Feb 22 14:04:44 CST 2018] Update account tos info success.
[Thu Feb 22 14:04:45 CST 2018] ACCOUNT_THUMBPRINT='iR8qMSa41Tnn52YE_QGOPG1HX9PLM0T2ARgPibudf3A'
[Thu Feb 22 14:04:45 CST 2018] Creating domain key
[Thu Feb 22 14:04:45 CST 2018] The domain key is here: /usr/local/nginx/conf/ssl/ezlost.com/ezlost.com.key
[Thu Feb 22 14:04:45 CST 2018] Single domain='ezlost.com'
[Thu Feb 22 14:04:45 CST 2018] Getting domain auth token for each domain
[Thu Feb 22 14:04:45 CST 2018] Getting webroot for domain='ezlost.com'
[Thu Feb 22 14:04:45 CST 2018] Getting new-authz for domain='ezlost.com'
[Thu Feb 22 14:04:45 CST 2018] The new-authz request is ok.
[Thu Feb 22 14:04:45 CST 2018] Verifying:ezlost.com
[Thu Feb 22 14:04:48 CST 2018] Success
[Thu Feb 22 14:04:48 CST 2018] Verify finished, start to sign.
[Thu Feb 22 14:04:49 CST 2018] Cert success.
[Thu Feb 22 14:04:49 CST 2018] Your cert is in  /usr/local/nginx/conf/ssl/ezlost.com/ezlost.com.cer 
[Thu Feb 22 14:04:49 CST 2018] Your cert key is in  /usr/local/nginx/conf/ssl/ezlost.com/ezlost.com.key 
[Thu Feb 22 14:04:49 CST 2018] The intermediate CA cert is in  /usr/local/nginx/conf/ssl/ezlost.com/ca.cer 
[Thu Feb 22 14:04:49 CST 2018] And the full chain certs is there:  /usr/local/nginx/conf/ssl/ezlost.com/fullchain.cer 
[Thu Feb 22 14:04:49 CST 2018] Run reload cmd: /etc/init.d/nginx reload
Reload service nginx...  done
[Thu Feb 22 14:04:49 CST 2018] Reload success
Let's Encrypt SSL Certificate create successfully.
Create dhparam.pem...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................................................................................................................+...........................................................................................................+..............................................................................................................................................+........................................................................................................................+.....................................................+...........................................................................................+....................+..................................................................................................................................................................................................................................................................+.....................................................................+.......................................+.....+...............+..............+.........................+.......+..................................................................................+..+...........................................................................................................................................................+..............................................................+...............................................................................................................................................................................+..............................................................................+........................................................................................................+..............+......................+................+................................................................................................+.....................+.....................................................................................................+.........................+...+..+......+..................................................................................................................................+........................................................................................................................................................................................................................................................................+.................+......................................................................................................+........................+........................................................+..................................................................................................................................................................................................................................+.........................+......................................+...............................................................................................................................................+................................................................+................................................................................................................................+..........................................................................................................................................+.................................................................................................................................................................................................+............................................+.......................................................................................................................................+..............................................................................................+...............................................+....................................................................................+..............................................+.........................................................................................................................................................................................+..........+...............................................................................................................................................+......................................................+.......................................................................................................................................................................................................................................................+.........................................................+...................................+................................................................................................................+..................................................+....................................+.......................................................................................................................................................................................................................................................................+.............+.........................................+.+............................+..........................................................................................+.....................................................................................................+.................................................+...............................................................................................................+...................................................................+..................+.........+...........................................................................................................................................................................................................................................................................................................................................................................+...........................................................................................................................................................................................................+...................................................................................................................................................................................................+................................................+........................................................+.............................................................................................................+.................+.....................................................................................................................................++*++*
Test Nginx configure file......
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reload Nginx......

这里我们发现一个问题,默认并不是强制HTTP访问HTTPS的,我们肯定需要强制跳转过去。

1、修改位置

/usr/local/nginx/conf/vhost

找到对应站点配置文件。

2、添加强制HTTPS脚本

if ($ssl_protocol = “”) { return 301 https://$host$request_uri; }

脚本添加到配置文件80模块区域中。

添加强制HTTPS脚本

3、重启Nginx

lnmp nginx reload

生效之后我们再去打开网站,就可以强制以HTTPS形式访问网站。

[root@host wwwroot]# ls
default_bak  ezlost.com
[root@host wwwroot]# cd /usr/local/nginx/conf/vhost/
[root@host vhost]# ls
ezlost.com.conf
[root@host vhost]# vim ezlost.com.conf 
[root@host vhost]# lnmp nginx reload
+-------------------------------------------+
|    Manager for LNMP, Written by Licess    |
+-------------------------------------------+
|              https://lnmp.org             |
+-------------------------------------------+
Reload service nginx...  done