之前整理过一篇《WordPress 全站启用 HTTPS》,那个是用腾讯提供的免费 https 证书,有效期只有一年,且Web服务器为 apache,现在迁移到 Oracle 的免费主机上,Web服务器换成了 nginx:
此次 https 证书用的是 Let’s Encrypt,有效期90天,到期免费续,可以设置自动续期;
操作步骤主要是参考 这篇文章,在 https 证书部分,有一个地方没有说明,我也一块补充了下;
1、安装对应的包
sudo apt install certbot
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
sudo nano /etc/nginx/snippets/well-known # 这一步可省略,执行这一步主要是看配置内容
返回结果,这个配置是自动生成的,无需修改;
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
2、把步骤 1 生成的配置引入到 nginx 中
修改 nginx 配置文件,在 80 端口的配置里添加引用,include snippets/well-known
,这里我加到了最后一行;
nano /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www;
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ /index.php?$args;
}
# 其他配置
include snippets/well-known; # 本次操作只添加这一行
}
这步是给80端口下添加一个虚拟目录,做验证用的,下一步会用到,最终目的是能通过 http://域名/虚拟目录 访问到 /var/lib/letsencrypt
里的资源
3、申请证书
sudo certbot certonly --agree-tos --email username@email.com --webroot -w /var/lib/letsencrypt/ -d ashita.com
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
这里注意一下,我生成的 ashita.top 证书,非 www.ashita.top 证书,生成哪个都可以,后面的步骤注意区分;
4、修改配置文件
修改 nginx 配置文件,就是步骤 2 中的文件,添加 https 相关的内容,涉及到 ashita.top 的地方,换成自己的域名即可,root 也换成自己的路径;
重启 nginx 服务,此时访问 https://ashita.top ,应该已经能正常加载到页面了。
到这一步,站点支持 https://ashita.top、https://ashita.top、http://www.ashita.top 三个地址的访问,还有一个可能会有问题 https://www.ashita.top,这个是由步骤 5 中的配置链接影响的;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ashita.top;
root /var/www/;
index index.php index.html index.htm;
charset utf-8;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
include snippets/well-known;
ssl_certificate /etc/letsencrypt/live/ashita.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ashita.top/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ashita.top/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 223.5.5.5 223.6.6.6 valid=300s;
resolver_timeout 30s;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
access_log /var/log/nginx/ashita.top.access.log;
error_log /var/log/nginx/ashita.top.error.log;
client_max_body_size 100M;
autoindex off;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_read_timeout 300s;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
}
5、统一重定向到 https://ashita.top
有四个地方需要改:
1、修改 WordPress 管理后端地址,在 设置 – 常规 中,将 WordPress地址 和 站点地址 都改为 https://ashita.top;
2、修改 WordPress 源代码,./wp-config.php 中,添加下面的代码
// 强制后台和登录页面使用https
define('FORCE_SSL_LOGIN', false);
define('FORCE_SSL_ADMIN', false);
3、在 nginx 配置文件,80端口的服务配置中,在最后一行添加 https 的自动跳转,
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www;
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ /index.php?$args;
}
# 其他配置
include snippets/well-known;
return 301 https://ashita.top$request_uri; # 本次操作只添加这一行
}
*4、修改文章中写死的 http:// 资源,这一步是直接修改数据库,修改之前先备份数据库,不改也行,上一步做了 http 自动跳转 https;
update wp_posts set post_content = replace(post_content, 'http://','https://')
这样不管访问哪个地址,https://www.ashita.top、https://ashita.top、http://www.ashita.top,最后都会到 https://ashita.top 了。
6、自动更新证书
sudo crontab -e
输入下面的内容并保存(还没续期过,没有验证好不好使)
30 2 * */2 * /usr/bin/certbot renew --quiet --renew-hook "nginx -s reload" >> /var/log/letsencrypt/renew.log
手动更新证书
/usr/bin/certbot renew
可能存在的问题
上面第4步中,按照参考文章中的配置,最终会有两个地方不同:
server_name ashita.top www.ashita.top;
if ($host != "ashita.top") {
return 301 https://ashita.top$request_uri;
}
server_name 配置了两个,表示 https 下,ashita.top 和 www.ashita.top 都走这个配置,但有一个问题,下面配置的 ssl_certificate、ssl_certificate_key 等证书,都是关于 ashita.top 的。
访问 https://www.ashita.top 时,相当于没有 https 证书,会提示不安全,无法走到配置中的 if 语句,只有用户允许了之后,才会走到 if 语句,最后才 301 重定向到 https://ashita.top;
所以应该会出现这种情况,在调试过程中也确实也出现了,但后来不再复现,好像是改了第 5 步中的 WordPress 管理后端地址之后就好了,我也就不再回去复现了。
如果没有遇到这个问题就不用管了,如果遇到了,可以尝试下这个方案:
在上面 5 步的基础上,再生成一个 www.ashita.top 的证书,在配置文件中再添加第二个 https 的配置,这个配置是捕获 www.ashita.top 的,只做重定向
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.ashita.top;
root /var/www/;
index index.php index.html index.htm;
charset utf-8;
ssl_certificate /etc/letsencrypt/live/www.ashita.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.ashita.top/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.ashita.top/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
return 301 https://ashita.top$request_uri;
}