本文采用 GOOGLE 翻译

Let’s Encrypt 是一个免费的 https 证书，您可以将其安装在便宜的 VPS 上，以获取免费的，经过浏览器验证的 https。在本教程中，我们将逐步介绍在 Debian 10 上运行的 Nginx 主机上设置“让我们加密 https”的过程。

我们将从头开始安装 nginx，但不会在本教程中使用 php-fpm 和其他扩展。我将从 Vultr 上崭新的 VPS 开始。

本教程假定您已经设置了 DNS 记录。换句话说，如果您要设置 www.example.com，则 www.example.com 已经具有指向您的 VPS 的 A 记录或 CNAME。请注意，我们将使用的 certbot 安装程序将查询 DNS，因此它必须能够正常运行。

安装和设置 nginx

直接安装 nginx：

apt-get update && apt-get upgrade
apt-get install nginx

我将设置 www.lowend.party 并将其网络根目录放置在/web/www.lowend.party 中。

让我们配置 Web 根目录和日志目录：

mkdir -p /web/www.lowend.party
mkdir -p /var/log/nginx/www.lowend.party
chown www-data:adm /var/log/nginx/www.lowend.party

配置日志和循环
我们希望为我们托管的每个域使用单独的日志，并希望轮换这些日志。我们可以使用 Debian 的日志轮换系统来完成此任务。为此，我们将适当的规则文件放在/etc/logrotate.d 中。从 nginx 的基本日志轮换规则开始：

cp /etc/logrotated.d/nginx /etc/logrotate.d/nginx_domain_logs

现在编辑/etc/logrotate.d/nginx_domain_logs 并进行如下修改：

# change this: /var/log/nginx/*.log { 
# to this:
/var/log/nginx/*/*.log {

设置 nginx http
在设置 https 之前，我们将设置 http。我将在/web/www.lowend.party 中放置一个占位符 index.html：

www.lowend.party works!

<html<
<head<
<title<www.lowend.party test page</title<
</head<
<body<
<h1<www.lowend.party works!</h1<
</body<
</html<

现在看一下/ etc / nginx。/ etc / nginx / sites-available 应该为我们可能托管的每个站点都有一个文件。然后，我们将符号链接到/ etc / nginx / sites-enabled 来打开或关闭特定站点。

让我们通过创建/etc/nginx/sites-available/www.lowend.party 创建一个基本的 nginx 配置：

server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }
}

现在通过以下方式使其生效：

ln -s /etc/nginx/sites-available/www.lowend.party /etc/nginx/sites-enabled/www.lowend.party

让我们语法检查该文件：

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

现在重启 nginx：

systemctl restart nginx

然后，我访问了 http://www.lowend.party 并成功看到了我早期创建的 HTML。

激活让我们加密
让我们从安装 certbot 开始，该软件包将为我们设置 https 并使我们的证书保持最新：

apt-get install certbot python-certbot-nginx

现在为魔术！运行以下命令：

certbot --authenticator webroot --installer nginx

然后进行交互式安装。我的输入以粗体显示：

# certbot --authenticator webroot --installer nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): raindog308@raindog308.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.lowend.party
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lowend.party
Input the webroot for www.lowend.party: (Enter 'c' to cancel): /web/www.lowend.party
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.lowend.party

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.lowend.party

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.lowend.party

(rest snipped)

现在看一下/etc/nginx/sites-available/www.lowend.party：

server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/www.lowend.party/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.lowend.party/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
  if ($host = www.lowend.party) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  server_name www.lowend.party;
  listen 80;
  return 404; # managed by Certbot

certbot 已执行以下操作：

为 www.lowend.party 提供了 SSL 认证
在/ etc /中加载了 SSL 配置
更新了/etc/nginx/sites-available/www.lowend.party，并放置了适当的 nginx 规则来提供 HTTPS 服务
还添加了一个条目，以便如果您在 http 上连接，它将重定向到 https
在我的浏览器中转到 http://www.lowend.party 确认一切正常。