It’s almost at the end of Year 2017, now it’s time to enable https for my website, after some search, I choose to use letsencrypt, it’s free and community support widely. So it’s easy for me to find the tutorials.

So now you can visit my wiki, and it will be force redirect to the https link

How to install

Solution #1

sudo apt-get install letsencrypt
sudo service nginx stop
sudo letsencrypt certonly --standalone
sudo service nginx restart

Solution #2

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Refer
https://bitmingw.com/2017/02/02/letsencrypt-tutorial/
https://github.com/certbot/certbot
https://certbot.eff.org/#ubuntuxenial-nginx

nginx config

server {
listen 80;
server_name ef.pjq.me;
return 301 https://$server_name$request_uri;
}

server {
listen 80;
server_name wiki.pjq.me;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name ef.pjq.me;
ssl on;
ssl_certificate /etc/letsencrypt/live/ef.pjq.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ef.pjq.me/privkey.pem;
ssl_session_timeout 5m;
root /var/www/ef/;
index index.html index.htm index.php;
location / {
try_files $uri $uri/ =404;
autoindex on;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;

}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
server {
listen 443;
root /var/www/dokuwiki/wiki/;
index index.html index.htm index.php;
server_name wiki.pjq.me;
ssl on;
ssl_certificate /etc/letsencrypt/live/ef.pjq.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ef.pjq.me/privkey.pem;
ssl_session_timeout 5m;
location / {
try_files $uri $uri/ =404;
}
location ~ /(data|conf|bin|inc)/ {
deny all;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}

Wildcard support 
Letsencypt already support wildcard, reference https://www.jianshu.com/p/c5c9d071e395
sudo certbot certonly -d *.pjq.me -d pjq.me --manual  --server https://www.jianshu.com/p/c5c9d071e395https://acme-v02.api.letsencrypt.org/directory
pjq@pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:~$ sudo certbot certonly -d *.pjq.me --manual  --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for pjq.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.pjq.me with the following value:

QuTEKz6IaSk6xc_AAiTp47cNXXTps9wJZp1jViV9jTY

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/pjq.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/pjq.me/privkey.pem
   Your cert will expire on 2020-03-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Time to enable https–letsencrypt
Tagged on:     

2 thoughts on “Time to enable https–letsencrypt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.