It’s almost at the end of Year 2017, now it’s time to enable https for my website, after some search, I choose to use letsencrypt, it’s free and community support widely. So it’s easy for me to find the tutorials.
So now you can visit my wiki, and it will be force redirect to the https link
How to install
Solution #1
sudo apt-get install letsencrypt sudo service nginx stop sudo letsencrypt certonly --standalone sudo service nginx restart
Solution #2
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx
Refer
https://bitmingw.com/2017/02/02/letsencrypt-tutorial/
https://github.com/certbot/certbot
https://certbot.eff.org/#ubuntuxenial-nginx
nginx config
server { listen 80; server_name ef.pjq.me; return 301 https://$server_name$request_uri; } server { listen 80; server_name wiki.pjq.me; return 301 https://$server_name$request_uri; } server { listen 443; server_name ef.pjq.me; ssl on; ssl_certificate /etc/letsencrypt/live/ef.pjq.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ef.pjq.me/privkey.pem; ssl_session_timeout 5m; root /var/www/ef/; index index.html index.htm index.php; location / { try_files $uri $uri/ =404; autoindex on; } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/run/php/php7.0-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; } } server { listen 443; root /var/www/dokuwiki/wiki/; index index.html index.htm index.php; server_name wiki.pjq.me; ssl on; ssl_certificate /etc/letsencrypt/live/ef.pjq.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ef.pjq.me/privkey.pem; ssl_session_timeout 5m; location / { try_files $uri $uri/ =404; } location ~ /(data|conf|bin|inc)/ { deny all; } location ~ \.php$ { fastcgi_pass unix:/run/php/php7.0-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; include fastcgi_params; } location ~ /\.ht { deny all; } }
Wildcard support Letsencypt already support wildcard, reference https://www.jianshu.com/p/c5c9d071e395
sudo certbot certonly -d *.pjq.me -d pjq.me --manual --server https://www.jianshu.com/p/c5c9d071e395https://acme-v02.api.letsencrypt.org/directory
pjq@pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:~$ sudo certbot certonly -d *.pjq.me --manual --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for pjq.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.pjq.me with the following value:
QuTEKz6IaSk6xc_AAiTp47cNXXTps9wJZp1jViV9jTY
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/pjq.me/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/pjq.me/privkey.pem
Your cert will expire on 2020-03-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Time to enable https–letsencrypt
If you are using nginx, then you can update it with the command
sudo certbot –nginx
sudo certbot certonly -d *.pjq.me –manual –server https://acme-v02.api.letsencrypt.org/directory
sudo certbot certonly -d pjq.me –manual –server https://acme-v02.api.letsencrypt.org/directory