{"id":208355,"date":"2025-07-18T10:48:54","date_gmt":"2025-07-18T02:48:54","guid":{"rendered":"https:\/\/server.hk\/cnblog\/?p=208355"},"modified":"2025-07-18T10:48:54","modified_gmt":"2025-07-18T02:48:54","slug":"%e5%9c%a8-nginx-%e4%b8%8a%e7%82%ba%e9%a6%99%e6%b8%af%e4%bc%ba%e6%9c%8d%e5%99%a8%e9%85%8d%e7%bd%ae-lets-encrypt-ssl-tls-%e8%ad%89%e6%9b%b8","status":"publish","type":"post","link":"https:\/\/server.hk\/cnblog\/208355\/","title":{"rendered":"\u5728 NGINX \u4e0a\u70ba\u9999\u6e2f\u4f3a\u670d\u5668\u914d\u7f6e Let\u2019s Encrypt SSL\/TLS \u8b49\u66f8"},"content":{"rendered":"<p>Let\u2019s Encrypt \u662f\u4e00\u500b\u7531\u975e\u71df\u5229\u7d44\u7e54\u63d0\u4f9b\u7684\u514d\u8cbb\u8b49\u66f8\u9812\u767c\u6a5f\u69cb\uff0c\u65e8\u5728\u901a\u904e\u63a8\u52d5 HTTPS \u7684\u5ee3\u6cdb\u61c9\u7528\uff0c\u69cb\u5efa\u4e00\u500b\u66f4\u5b89\u5168\u3001\u96b1\u79c1\u53cb\u597d\u7684\u4e92\u806f\u7db2\u74b0\u5883\u3002\u5176\u8b49\u66f8\u6709\u6548\u671f\u70ba 90 \u5929\uff0c\u4e26\u652f\u6301\u96a8\u6642\u66f4\u65b0\u3002Let\u2019s Encrypt \u901a\u904e\u81ea\u52d5\u5316\u6d41\u7a0b\u7c21\u5316\u4e86\u8b49\u66f8\u7684\u5275\u5efa\u3001\u9a57\u8b49\u3001\u7c3d\u540d\u3001\u5b89\u88dd\u548c\u7e8c\u671f\u7b49\u6b65\u9a5f\uff0c\u5927\u5e45\u964d\u4f4e\u4e86\u914d\u7f6e\u548c\u7dad\u8b77 TLS \u52a0\u5bc6\u7684\u8907\u96dc\u6027\u3002\u672c\u6587\u5c07\u8a73\u7d30\u4ecb\u7d39\u5982\u4f55\u5728 <a href=\"https:\/\/server.hk\/\">\u9999\u6e2f\u4f3a\u670d\u5668<\/a> \u4e0a\u4f7f\u7528 NGINX \u914d\u7f6e Let\u2019s Encrypt SSL\/TLS \u8b49\u66f8\uff0c\u78ba\u4fdd\u65b9\u6848\u908f\u8f2f\u6e05\u6670\u4e14\u5177\u6709\u9ad8\u53ef\u884c\u6027\uff0c\u9069\u7528\u65bc <a href=\"https:\/\/server.hk\/\">\u9999\u6e2fVPS<\/a> \u548c <a href=\"https:\/\/server.hk\/\">\u9999\u6e2f\u96f2\u4f3a\u670d\u5668<\/a> \u7684\u7528\u6236\u3002<\/p>\n<h2>\u914d\u7f6e Let\u2019s Encrypt SSL\/TLS \u8b49\u66f8\u7684\u6b65\u9a5f<\/h2>\n<p>\u4ee5\u4e0b\u662f\u5728 <a href=\"https:\/\/server.hk\/\">\u9999\u6e2f\u4f3a\u670d\u5668<\/a> \u4e0a\u4f7f\u7528 NGINX \u914d\u7f6e Let\u2019s Encrypt SSL\/TLS \u8b49\u66f8\u7684\u8a73\u7d30\u6b65\u9a5f\uff0c\u5305\u542b\u5169\u7a2e\u5e38\u7528\u65b9\u6cd5\uff1aHTTP-01 \u9a57\u8b49\u548c DNS-01 \u9a57\u8b49\u3002<\/p>\n<h3>\u65b9\u6cd5 1\uff1aHTTP-01 \u9a57\u8b49\uff08\u9069\u7528\u65bc\u5df2\u5c07\u57df\u540d\u6307\u5411\u4f3a\u670d\u5668 IP \u7684\u60c5\u6cc1\uff09<\/h3>\n<ol>\n<li><strong>\u5b89\u88dd Certbot<\/strong><br \/>\nCertbot \u662f Let\u2019s Encrypt \u7684\u5b98\u65b9\u5ba2\u6236\u7aef\uff0c\u7528\u65bc\u81ea\u52d5\u5316\u7372\u53d6\u548c\u90e8\u7f72 SSL \u8b49\u66f8\u3002\u5728\u904b\u884c Ubuntu \u7684 <a href=\"https:\/\/server.hk\/\">\u9999\u6e2fVPS<\/a> \u6216 <a href=\"https:\/\/server.hk\/\">\u9999\u6e2f\u96f2\u4f3a\u670d\u5668<\/a> \u4e0a\uff0c\u53ef\u901a\u904e\u4ee5\u4e0b\u547d\u4ee4\u5b89\u88dd Certbot \u53ca\u5176 NGINX \u63d2\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo apt update\r\nsudo apt install certbot python3-certbot-nginx\r\n<\/code><\/pre>\n<\/li>\n<li><strong>\u914d\u7f6e NGINX<\/strong><br \/>\n\u78ba\u4fdd\u4f60\u7684 NGINX \u914d\u7f6e\u6587\u4ef6\u4e2d\u5df2\u6b63\u78ba\u8a2d\u7f6e <code>server_name<\/code> \u6307\u4ee4\uff0c\u6307\u5411\u9700\u8981\u4fdd\u8b77\u7684\u57df\u540d\u3002\u4f8b\u5982\uff0c\u5728 <code>\/etc\/nginx\/sites-available\/your-site<\/code> \u4e2d\u914d\u7f6e\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-nginx\">server {\r\n    listen 80;\r\n    server_name yourdomain.com www.yourdomain.com;\r\n    root \/var\/www\/html;\r\n}\r\n<\/code><\/pre>\n<p>\u4fdd\u5b58\u5f8c\uff0c\u901a\u904e\u4ee5\u4e0b\u547d\u4ee4\u9a57\u8b49\u4e26\u91cd\u8f09 NGINX \u914d\u7f6e\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nginx -t\r\nsudo systemctl reload nginx\r\n<\/code><\/pre>\n<\/li>\n<li><strong>\u7372\u53d6 SSL\/TLS \u8b49\u66f8<\/strong><br \/>\n\u4f7f\u7528 Certbot \u7684 NGINX \u63d2\u4ef6\u81ea\u52d5\u751f\u6210\u8b49\u66f8\u4e26\u914d\u7f6e NGINX\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com\r\n<\/code><\/pre>\n<p>\u6839\u64da\u63d0\u793a\u8f38\u5165\u96fb\u5b50\u90f5\u4ef6\u5730\u5740\u4e26\u540c\u610f\u670d\u52d9\u689d\u6b3e\u3002Certbot \u5c07\u81ea\u52d5\u5b8c\u6210\u8b49\u66f8\u7372\u53d6\u4e26\u66f4\u65b0 NGINX \u914d\u7f6e\u4ee5\u555f\u7528 HTTPS\u3002<\/li>\n<li><strong>\u8b49\u66f8\u81ea\u52d5\u7e8c\u671f<\/strong><br \/>\nLet\u2019s Encrypt \u8b49\u66f8\u6709\u6548\u671f\u70ba 90 \u5929\uff0cCertbot \u9ed8\u8a8d\u6703\u914d\u7f6e\u81ea\u52d5\u7e8c\u671f\u4efb\u52d9\u3002\u4f60\u53ef\u4ee5\u901a\u904e\u4ee5\u4e0b\u547d\u4ee4\u6e2c\u8a66\u81ea\u52d5\u7e8c\u671f\u529f\u80fd\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo certbot renew --dry-run\r\n<\/code><\/pre>\n<p>\u5982\u679c\u9700\u8981\u624b\u52d5\u7e8c\u671f\uff0c\u53ef\u904b\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo certbot renew\r\n<\/code><\/pre>\n<\/li>\n<\/ol>\n<h3>\u65b9\u6cd5 2\uff1aDNS-01 \u9a57\u8b49\uff08\u9069\u7528\u65bc\u9700\u8981\u6cdb\u57df\u540d\u6216\u7121\u516c\u7db2 IP \u7684\u60c5\u6cc1\uff09<\/h3>\n<ol>\n<li><strong>\u5b89\u88dd Certbot<\/strong><br \/>\n\u5728\u4f60\u7684 <a href=\"https:\/\/server.hk\/\">\u9999\u6e2f\u4f3a\u670d\u5668<\/a> \u4e0a\uff0c\u78ba\u4fdd\u5df2\u5b89\u88dd Certbot\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo apt-get update\r\nsudo apt-get install certbot\r\n<\/code><\/pre>\n<\/li>\n<li><strong>\u751f\u6210 DNS-01 \u9a57\u8b49\u6311\u6230<\/strong><br \/>\n\u4f7f\u7528 Certbot \u904b\u884c\u4ee5\u4e0b\u547d\u4ee4\u4ee5\u751f\u6210 DNS-01 \u9a57\u8b49\u6240\u9700\u7684 TXT \u8a18\u9304\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo certbot certonly --manual --preferred-challenges dns -d yourdomain.com -d *.yourdomain.com\r\n<\/code><\/pre>\n<p>Certbot \u5c07\u8fd4\u56de\u4e00\u500b TXT \u8a18\u9304\u503c\uff0c\u4f8b\u5982 <code>_acme-challenge.yourdomain.com<\/code> \u53ca\u5c0d\u61c9\u7684\u5b57\u7b26\u4e32\u3002<\/li>\n<li><strong>\u6dfb\u52a0 TXT \u8a18\u9304<\/strong><br \/>\n\u767b\u9304\u4f60\u7684 DNS \u63d0\u4f9b\u5546\u7ba1\u7406\u63a7\u5236\u53f0\uff0c\u5728\u57df\u540d DNS \u8a2d\u7f6e\u4e2d\u6dfb\u52a0\u4e00\u689d TXT \u8a18\u9304\u3002\u8a18\u9304\u540d\u7a31\u70ba <code>_acme-challenge.yourdomain.com<\/code>\uff0c\u503c\u8a2d\u7f6e\u70ba Certbot \u63d0\u4f9b\u7684\u5b57\u7b26\u4e32\u3002\u4fdd\u5b58\u5f8c\uff0c\u7b49\u5f85 DNS \u8a18\u9304\u751f\u6548\uff08\u901a\u5e38\u9700\u8981\u5e7e\u5206\u9418\uff09\u3002<\/li>\n<li><strong>\u9a57\u8b49 DNS \u8a18\u9304<\/strong><br \/>\n\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u6aa2\u67e5 TXT \u8a18\u9304\u662f\u5426\u6b63\u78ba\u50b3\u64ad\uff1a<\/p>\n<pre><code class=\"language-bash\">nslookup -q=TXT _acme-challenge.yourdomain.com\r\n<\/code><\/pre>\n<p>\u78ba\u8a8d\u8fd4\u56de\u7684 TXT \u503c\u8207 Certbot \u63d0\u4f9b\u7684\u503c\u4e00\u81f4\u3002<\/li>\n<li><strong>\u5b8c\u6210\u9a57\u8b49\u4e26\u7372\u53d6\u8b49\u66f8<\/strong><br \/>\n\u8fd4\u56de Certbot \u547d\u4ee4\u884c\u754c\u9762\uff0c\u6309 Enter \u9375\u7e7c\u7e8c\u3002Certbot \u5c07\u9a57\u8b49 TXT \u8a18\u9304\uff0c\u4e26\u5728\u9a57\u8b49\u901a\u904e\u5f8c\u9812\u767c\u8b49\u66f8\u3002\u8b49\u66f8\u6587\u4ef6\u901a\u5e38\u5b58\u5132\u5728 <code>\/etc\/letsencrypt\/live\/yourdomain.com\/<\/code> \u76ee\u9304\u4e0b\u3002<\/li>\n<li><strong>\u914d\u7f6e NGINX \u4f7f\u7528\u8b49\u66f8<\/strong><br \/>\n\u7de8\u8f2f NGINX \u914d\u7f6e\u6587\u4ef6\uff0c\u6dfb\u52a0 SSL \u76f8\u95dc\u914d\u7f6e\u3002\u4f8b\u5982\uff1a<\/p>\n<pre><code class=\"language-nginx\">server {\r\n    listen 443 ssl;\r\n    server_name yourdomain.com www.yourdomain.com;\r\n    ssl_certificate \/etc\/letsencrypt\/live\/yourdomain.com\/fullchain.pem;\r\n    ssl_certificate_key \/etc\/letsencrypt\/live\/yourdomain.com\/privkey.pem;\r\n    root \/var\/www\/html;\r\n}\r\n<\/code><\/pre>\n<p>\u4fdd\u5b58\u5f8c\uff0c\u9a57\u8b49\u4e26\u91cd\u8f09 NGINX\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nginx -t\r\nsudo systemctl reload nginx\r\n<\/code><\/pre>\n<\/li>\n<li><strong>\u81ea\u52d5\u5316\u7e8c\u671f\uff08\u53ef\u9078\uff09<\/strong><br \/>\n\u5982\u679c\u4f60\u7684 DNS \u63d0\u4f9b\u5546\u652f\u6301 API\uff0c\u53ef\u4f7f\u7528 Certbot \u7684 DNS \u63d2\u4ef6\u5be6\u73fe\u81ea\u52d5\u5316\u7e8c\u671f\u3002\u4f8b\u5982\uff0c\u4f7f\u7528 Cloudflare \u7684\u63d2\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~\/.secrets\/certbot\/cloudflare.ini -d yourdomain.com\r\n<\/code><\/pre>\n<p>\u78ba\u4fdd\u63d0\u524d\u914d\u7f6e\u597d API \u6191\u8b49\u6587\u4ef6\uff08\u5982 <code>cloudflare.ini<\/code>\uff09\u3002<\/li>\n<\/ol>\n<h2>\u7e3d\u7d50<\/h2>\n<p>\u901a\u904e\u4ee5\u4e0a\u65b9\u6cd5\uff0c\u4f60\u53ef\u4ee5\u5728 <a href=\"https:\/\/server.hk\/\">\u9999\u6e2fVPS<\/a> \u6216 <a href=\"https:\/\/server.hk\/\">\u9999\u6e2f\u96f2\u4f3a\u670d\u5668<\/a> \u4e0a\u4f7f\u7528 NGINX \u8f15\u9b06\u914d\u7f6e Let\u2019s Encrypt SSL\/TLS \u8b49\u66f8\u3002HTTP-01 \u9a57\u8b49\u9069\u7528\u65bc\u5df2\u89e3\u6790\u57df\u540d\u7684\u5834\u666f\uff0c\u800c DNS-01 \u9a57\u8b49\u5247\u9069\u7528\u65bc\u6cdb\u57df\u540d\u6216\u7121\u516c\u7db2 IP \u7684\u60c5\u6cc1\u3002Certbot \u7684\u81ea\u52d5\u5316\u529f\u80fd\u5927\u5927\u7c21\u5316\u4e86\u8b49\u66f8\u7ba1\u7406\u548c\u7e8c\u671f\u6d41\u7a0b\uff0c\u78ba\u4fdd\u4f60\u7684\u7db2\u7ad9\u5728 <a href=\"https:\/\/server.hk\/\">\u9999\u6e2f\u4f3a\u670d\u5668<\/a> \u4e0a\u59cb\u7dad\u6301\u5b89\u5168\u52a0\u5bc6\u9023\u63a5\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Let\u2019s Encrypt \u662f\u4e00&#46;&#46;&#46;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4924],"tags":[],"class_list":["post-208355","post","type-post","status-publish","format-standard","hentry","category-setup-tutorials"],"_links":{"self":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/208355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/comments?post=208355"}],"version-history":[{"count":0,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/208355\/revisions"}],"wp:attachment":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/media?parent=208355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/categories?post=208355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/tags?post=208355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}