2017/09/17

CENTOS7 安裝 NGINX 並請申請 Letsencrypt SSL憑證使用

CENTOS7 安裝 NGINX 並請申請 Letsencrypt SSL憑證使用

# 首先先看看網路上的教學安裝文章, 照著作把 nginx 安裝起來
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7

# 然後安裝憑證, 這個 Letsencrypt 目前用程式安裝憑證
https://letsencrypt.org/



# 請依據制這裡的說明, 安裝程式及工具
https://certbot.eff.org/#centosrhel7-nginx



# 先把 domain FQDN 對應 IP 設定好
# 執行憑證申請及安裝, 因為 Letsencrypt 有縣市 IP 及 Domain 所以申請盡可能一次就成功。
# 依據說明執行
[root@dev letsencrypt]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: api.jangmt.com
2: dev.jangmt.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for dev.jangmt.com
Waiting for verification...
Cleaning up challenges
Cannot find a cert or key directive in /etc/nginx/conf.d/dev_jangmt_com.conf for set(['dev.jangmt.com']). VirtualHost was not modified.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/dev.jangmt.com/fullchain.pem. Your cert will
   expire on 2017-12-16. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"


# 失敗了, 因為還沒有設定好 cert or key directive  我們可以手動設定.
# 檢查一下 /etc/letsencrypt/ 應該有可以使用的憑證在 live 目錄內
[root@dev conf.d]# ls /etc/letsencrypt/ -la
total 20
drwxr-xr-x.   8 root root 4096 Sep 17 04:48 .
drwxr-xr-x. 143 root root 8192 Sep 17 05:03 ..
drwx------.   3 root root   49 Sep 17 04:03 accounts
drwx------.   4 root root   60 Sep 17 04:07 archive
drwxr-xr-x.   2 root root   72 Sep 17 04:07 csr
drwx------.   2 root root   72 Sep 17 04:07 keys
drwx------.   4 root root   60 Sep 17 04:07 live
-rw-r--r--.   1 root root  822 Sep 17 04:03 options-ssl-nginx.conf
drwxr-xr-x.   2 root root   70 Sep 17 04:07 renewal
 
 
# 然後設定一個初始的 NGINX 設定 /etc/nginx/conf.d/default.conf
# -----------------------------------------------------------
# http
server {
server_name _;
listen *:80 default_server deferred;
        # return 301 https://$server_name$request_uri;

        access_log  /var/log/nginx/access.log  main;
        error_log   /var/log/nginx/error.log warn;

        location / {
              root /usr/share/nginx/html;
              index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                root           /usr/share/nginx/html;
                try_files $uri = 404;
                fastcgi_pass   127.0.0.1:9000;
                #fastcgi_pass unix:/var/opt/remi/php70/run/php-fpm/php-fpm.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                include        /etc/nginx/fastcgi_params;
        }

        location ~ /\.ht {
                deny  all;
        }
}


# https
server {
       listen 443 ssl default_server;
       server_name _;

       ssl_certificate /etc/letsencrypt/live/dev.jangmt.com/cert.pem;
       ssl_certificate_key /etc/letsencrypt/live/dev.jangmt.com/privkey.pem;

       access_log  /var/log/nginx/access.log  main;
       error_log   /var/log/nginx/error.log warn;
       server_tokens off;

       location / {
             root /usr/share/nginx/html;
             index  index.php index.html index.htm;
       }

        location ~ \.php$ {
                root           /usr/share/nginx/html;
                try_files $uri = 404;
                fastcgi_pass   127.0.0.1:9000;
                #fastcgi_pass unix:/var/opt/remi/php70/run/php-fpm/php-fpm.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                include        /etc/nginx/fastcgi_params;
        }

        location ~ /\.ht {
                deny  all;
        }

       #return 301 http://$server_name$request_uri;
}




# 然後, 就設定好了....XDXD
# 我知道跳過很多步驟, 因為我看得懂就好.
# 有錯誤隨時檢查 /var/log/nginx/error.log 紀錄檔
[root@dev conf.d]# tail /var/log/nginx/error.log
2017/09/17 05:06:08 [error] 4159#0: *11 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 59.127.16.209, server: 0.0.0.0:443
2017/09/17 05:06:09 [error] 4159#0: *12 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 59.127.16.209, server: 0.0.0.0:443

# 上面這個錯誤, 是我憑證沒有設定好造成的.
基本上如果有多個網站在同一個 NGINX 上的時候, default site conf 要先設定好, 才可以正常工作.
# Good Luck !!




張貼留言