以下是在Ubuntu上为Nginx安装SSL证书的步骤,分为手动安装和Let’s Encrypt自动安装两种方式:
安装Nginx和OpenSSL
sudo apt update
sudo apt install nginx openssl
获取证书文件
certificate.crt(证书)和private.key(私钥)。sudo mkdir -p /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/selfsigned.key \
-out /etc/nginx/ssl/selfsigned.crt
配置Nginx
编辑站点配置文件(如/etc/nginx/sites-available/example.com):
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /var/www/html;
index index.html;
}
}
# 强制HTTP跳转HTTPS(可选)
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
测试并重启Nginx
sudo nginx -t # 测试配置语法
sudo systemctl reload nginx # 重启服务
验证SSL
浏览器访问https://example.com,检查是否显示安全锁标志。
安装Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx
获取并配置证书
sudo certbot --nginx -d example.com -d www.example.com
按提示选择域名,Certbot会自动修改Nginx配置并启用HTTPS。
设置自动续订
Certbot默认添加定时任务,可手动测试续订:
sudo certbot renew --dry-run
/etc/nginx/ssl/目录(可自定义),Let’s Encrypt证书路径为/etc/letsencrypt/live/域名/。TLSv1.2 TLSv1.3,禁用不安全的SSLv3等旧协议。sudo ufw allow 'Nginx Full'
参考来源: