1. 安裝 Certbot

Let’s Encrypt 證書生成不需要手動進行，官方推薦 certbot 這套自動化工具來實現。

• Nginx on CentOS/RHEL 7

  Certbot is packaged in EPEL (Extra Packages for Enterprise Linux). To use Certbot, you must first enable the EPEL repository. On RHEL or Oracle Linux, you must also enable the optional channel.

  Note:

  If you are using RHEL on EC2, you can enable the optional channel by running:

  $ yum -y install yum-utils
  $ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

  After doing this, you can install Certbot by running:

  $ sudo yum install certbot-nginx

• Nginx on Ubuntu 16.04 (xenial)

  On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages.

  $ sudo apt-get update
  
  $ sudo apt-get install software-properties-common
  
  $ sudo add-apt-repository ppa:certbot/certbot
  
  $ sudo apt-get update
  
  $ sudo apt-get install python-certbot-nginx 

  Certbot’s DNS plugins which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server are not available for your OS yet. This should change soon but if you don’t want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.

2. 生成SSL證書

• 編輯配置檔案：

  $ sudo vim /etc/letsencrypt/configs/hostname

  
  # 寫你的域名和郵箱
  
  domains = hostname
  rsa-key-size = 2048
  email = your-email
  text = True
  
  
  # 把下面的路徑修改為 hostname 的目錄位置
  
  authenticator = webroot
  webroot-path = /mnt/var/www/<your-name>/<hostname>

  只需將 hostname 修改為你的域名即可，certbot 會自動在 /mnt/var/www/<your-name>/<hostname> 下面建立一個隱藏檔案 .well-known/acme-challenge ，通過請求這個檔案來驗證 hostname 確實屬於你。外網伺服器訪問 http://hostname/.well-known/acme-challenge ，如果訪問成功則驗證OK。

• 配置Nginx 進行 webroot 驗證

  eg: 在/etc/nginx/sites-available 目錄下 編輯 temp 檔案

  server {
   listen 80;
   server_name hostname;
  
   location ~ /.well-known {
       root /mnt/var/www/<your-name>/<hostname>;
       default_type "text/plain";
   }
  }

  設定軟連線：

  $ cd /etc/nginx/sites-enabled     # 必須!!!
  $ sudo ln -s ../sites-available/temp temp
  $ sudo openresty -s reload        

• 生成SSL證書

  $ sudo certbot -c /etc/letsencrypt/configs/hostname certonly
  
  
  ## 片刻之後，看到下面內容就是成功了
  
  IMPORTANT NOTES:
  - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/hostname/fullchain.pem.

  之後刪除 之前的 temp 軟連線

3. 部署 https 反向代理

• nginx 配置檔案

  在/etc/nginx/sites-available 目錄下 編輯 hostname 檔案

  模板如下：

  upstream monitor_server {
      server <server-host>:<port>; 
      keepalive 2000;
  }
  
  server {
      listen 80;
      server_name hostname;
  
      # redirect all http to https
      return 301 https://$host$request_uri;
  }
  
  server {
      listen 443 ssl;
      server_name hostname;
  
      ssl_certificate /etc/letsencrypt/live/hostname/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/hostname/privkey.pem;
      # disable SSLv2
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  
      # ciphers' order matters
      ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL";
  
      # the Elliptic curve key used for the ECDHE cipher.
      ssl_ecdh_curve secp384r1;
  
      # use command line
      # openssl dhparam -out dhparam.pem 2048
      # to generate Diffie Hellman Ephemeral Parameters
      ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        # let the server choose the cipher
      ssl_prefer_server_ciphers on;
  
      # turn on the OCSP Stapling and verify
      ssl_stapling on;
      ssl_stapling_verify on;
  
      # http compression method is not secure in https
      # opens you up to vulnerabilities like BREACH, CRIME
      gzip off;
  
      location ^~ /.well-known/acme-challenge/ {
          default_type "text/plain";
          root /mnt/var/www/<your-name>/hostname;
      }
      location / {
        ...
      }
  
      access_log /mnt/log/nginx/hostname/access.log;
      error_log /mnt/log/nginx/hostname/error.log;
  }

  注:

  ​ 如需支援HTTP2，可將http server第一行修改為 listen 443 ssl http2; 作用是啟用 Nginx 的 ngx_http_v2_module 模組支援 HTTP2，Nginx 版本需要高於 1.9.5，且編譯時需要設定 –with-http_v2_module。

  ssl_certificate 和 ssl_certificate_key ，分別對應 fullchain.pem 和 privkey.pem，這2個檔案是之前就生成好的證書和金鑰。

  ssl_dhparam 通過下面命令生成：

  $ sudo openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048

  之後

  $ cd /etc/nginx/sites-enabled     # 必須!!!
  $ sudo ln -s ../sites-available/hostname hostname 
  $ sudo openresty -s reload

4. 設定SSL證書自動更新

$ sudo vim /etc/systemd/system/letsencrypt.service

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
ExecStartPost=/bin/systemctl reload nginx.service

然後增加一個 systemd timer 來觸發這個服務：

$ sudo vim /etc/systemd/system/letsencrypt.timer

[Unit]
Description=Monthly renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target

啟用服務，開啟 timer：

$ sudo systemctl enable letsencrypt.timer
$ sudo systemctl start letsencrypt.timer

上面兩條命令執行完畢後，你可以通過 systemctl list-timers 列出所有 systemd 定時服務。當中可以找到 letsencrypt.timer 並看到執行時間是明天的凌晨12點。

5. 線上工具測試SSL 安全性

Qualys SSL Labs 提供了全面的 SSL 安全性測試，填寫你的網站域名，給自己的 HTTPS 配置打個分。