如何使用Lets Encrypt

时间:2016-04-17 09:04:06

标签: ssl encryption nginx ubuntu-14.04 lets-encrypt

我有一个NGINX服务器,我试图使用Let的加密来添加SSL。

我的开发设置如下:

url : dev.domain.in
root: /var/www/dev/html

制作如下:

url : domain.in
root: /var/www/production/html

所以在我的nginx默认页面中,我有两个服务器块,一个用于开发,另一个用于生产

我想为两台服务器提供一个证书。

我知道根据Let's Encrypt网站命令如下

  

cd / opt / letsencrypt ./letsencrypt-auto certonly -a webroot   --webroot-path = / usr / share / nginx / html -d example.com -d www.example.com

但是只有当SUBDOMAIN具有相同的webroot时才能做到这一点,在我的情况下这不是真的。

所以我如何在这里添加CERT

请帮帮我

2 个答案:

答案 0 :(得分:9)

I use a common webroot across all of my virtual hosts on my nginx box.

/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
-d example.com,www.example.com

... and in nginx I have snippets/letsencrypt.conf:

location ~ /.well-known {
    root /srv/www/letsencrypt;
    allow all;
}

... which gets included in my server block for each site.

The files in the .well-known directory are temporary - they only exist for long enough for the authorisation process to complete and are then removed.

Once registration is successful, I then include the certificate definition in the server block via include ssl/example.com.conf; where that file contains the following:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

... along with the relevant listen directives to enable SSL on port 443.

You can include the same definition in multiple server blocks.

I have additional subdomains as SANs in my certificate as well and I have separate server blocks for example.com, www.example.com and also other subdomains like click.example.com - all using the same certificate.

答案 1 :(得分:1)

让加密webroot方法使用webroot目录中名为“.well-known / acme-challenge”的文件。您可以在开发人员和主服务器上配置位置代码段,以指向另一个仅用于此文件的webroot。

类似的东西:

   location /.well-known/acme-challenge {
        alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
        location ~ /.well-known/acme-challenge/(.*) {
            add_header Content-Type application/jose+json;
        }
    }

并将您的webroot指向--webroot-path /etc/letsencrypt/webrootauth

discussion可以提供帮助

或者你可以使用独立方法并手工完成一些工作。