首页 » App开发 » nginx上的Ghost博客使用Let’s Encrypt证书实现SSL

nginx上的Ghost博客使用Let’s Encrypt证书实现SSL

nginx上的Ghost博客使用Let's Encrypt证书实现SSL

上一篇,聊到了博客上HTTPS的事情,首先是证书的问题,笔者之前有个沃通的免费证书,不过因为沃通的那些破事,Apple已经进行了处理FirefoxChrome都进行了相应的不信任处理,所以,笔者和onevcat一样,选择了Let's Encrypt的证书,这家是免费的,但是签发的有效期只有90天,不过有certbot-auto工具可以很方便的续签。

笔者是搭建在nginx上的Ghost的博客,基本按照这篇教程来就可以了,不过貌似需搭梯子,于是摘录部分如下。

The Guide

All steps are written from the viewpoint of a Ghost blog that was setup on DigitalOcean using it’s one-click installer, but they’re likely applicable to most Nginx/Ghost setups in general. Regardless you should probably be familiar with using a terminal and SSH — if you aren’t I highly recommend brushing up via those links before you get started.

  1. If you already have a Ghost blog setup then skip to step 2. If not, go ahead and create a new droplet on DigitalOcean using the Ghost “One-Click App” install (Ghost 0.7.9 on Ubuntu 14.04 as of this writing) with 512mb of memory1 (the $5/month option). Feel free to choose whichever datacenter is closest to yourself (or your users) and add an SSH key so you can access your Droplet via your local terminal.
  2. Once the droplet is finished building, access your droplet over SSH via the terminal2 of your choosing with ssh root@0.0.0.0, where 0.0.0.0 is the IP address of your droplet as listed in your account. If it prompts you to trust the RSA key type yes and press ENTER. Long-term you should probably disable the root user, but that’s outside the scope of this guide.
  3. Once you’re inside your server (synonymous with “droplet”), run apt-get update && apt-get upgrade -y to bring all Linux dependencies up to date.
  4. Next go ahead and open your Nginx configuration with vim /etc/nginx/sites-available/ghost and update it to match the block below — available as a gist here — replacing the six (6) yourdomain.com instances accordingly (if you have an older droplet this file may not exist, in which case you can either edit /etc/nginx/conf.d directly or set this up yourself).2
  5. Run service nginx restart to restart Nginx and adopt the new settings. If you get a [fail] response run nginx -t to automatically detect where the error occurred.
  6. Run cd /opt && wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto. This will copy the repository from LetsEncrypt’s mirror on the EFF website and set the correct permissions for it to run safely.3
  7. Run /opt/certbot-auto certonly --webroot -w /var/www/ghost -d yourdomain.com -d www.yourdomain.com, replacing “yourdomain.com” in both entries. Fill out your email address and agree to the TOS if prompted, and otherwise sit back and sip a cup of coffee while it does its thing. This will create a hidden .well-known folder within your /var/www directory and check against it from the LetsEncrypt servers. Note: Your website/server must be publicly accessible over port 80 for LetsEncrypt to verify your domain.
  8. Uncomment (remove # signs) from the second half of the settings in /etc/nginx/sites-available/ghost, then run service nginx restart again to adopt settings.
  9. Test https://yourdomain.com to make sure that SSL is working properly.
  10. Lastly, you’ll want to set up a cronjob to automatically renew the certificate every 60 days or so, otherwise they’ll expire after 90 days. Go ahead and run crontab -e in your server terminal, and you should see something similar to the image below. On the last line add 0 0 1 */2 * /opt/certbot-auto renew --quiet --no-self-upgrade, which tells cron to rerun the certificate renewal for you on the first day of every other month.

nginx上的Ghost博客使用Let's Encrypt证书实现SSL

Nginx Config


WordPress使用Let's Encrypt步骤也类似,只是nginx上配置稍许不同而已,另外图片和静态文件如果使用了CDN记得用CDN提供的SNI域名,不然浏览器会报HTTPS也没加载不信任的脚本/图片。

至此博客已经全站HTTPS了,下一步会添加iOS API的HTTPS支持了。

参考

Tags:,