本文采用GOOGLE 翻译

Let’s Encrypt是一个免费的https证书，您可以将其安装在便宜的VPS上，以获取免费的，经过浏览器验证的https。在本教程中，我们将逐步介绍在Debian 10上运行的Nginx主机上设置“让我们加密https”的过程。

我们将从头开始安装nginx，但不会在本教程中使用php-fpm和其他扩展。我将从Vultr上崭新的VPS开始。

本教程假定您已经设置了DNS记录。换句话说，如果您要设置www.example.com，则www.example.com已经具有指向您的VPS的A记录或CNAME。请注意，我们将使用的certbot安装程序将查询DNS，因此它必须能够正常运行。

安装和设置nginx

直接安装nginx：

apt-get update && apt-get upgrade
apt-get install nginx

我将设置www.lowend.party并将其网络根目录放置在/web/www.lowend.party中。

让我们配置Web根目录和日志目录：

mkdir -p /web/www.lowend.party
mkdir -p /var/log/nginx/www.lowend.party
chown www-data:adm /var/log/nginx/www.lowend.party

配置日志和循环
我们希望为我们托管的每个域使用单独的日志，并希望轮换这些日志。我们可以使用Debian的日志轮换系统来完成此任务。为此，我们将适当的规则文件放在/etc/logrotate.d中。从nginx的基本日志轮换规则开始：

cp /etc/logrotated.d/nginx /etc/logrotate.d/nginx_domain_logs

现在编辑/etc/logrotate.d/nginx_domain_logs并进行如下修改：

# change this: /var/log/nginx/*.log { 
# to this:
/var/log/nginx/*/*.log {

设置nginx http
在设置https之前，我们将设置http。我将在/web/www.lowend.party中放置一个占位符index.html：

www.lowend.party works!

现在看一下/ etc / nginx。/ etc / nginx / sites-available应该为我们可能托管的每个站点都有一个文件。然后，我们将符号链接到/ etc / nginx / sites-enabled来打开或关闭特定站点。
让我们通过创建/etc/nginx/sites-available/www.lowend.party创建一个基本的nginx配置：
server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }
}

现在通过以下方式使其生效：
ln -s /etc/nginx/sites-available/www.lowend.party /etc/nginx/sites-enabled/www.lowend.party

让我们语法检查该文件：
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

现在重启nginx：
systemctl restart nginx

然后，我访问了http://www.lowend.party并成功看到了我早期创建的HTML。
激活让我们加密

让我们从安装certbot开始，该软件包将为我们设置https并使我们的证书保持最新：
apt-get install certbot python-certbot-nginx

现在为魔术！运行以下命令：
certbot --authenticator webroot --installer nginx

然后进行交互式安装。我的输入以粗体显示：
# certbot --authenticator webroot --installer nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): raindog308@raindog308.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.lowend.party
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lowend.party
Input the webroot for www.lowend.party: (Enter 'c' to cancel): /web/www.lowend.party
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.lowend.party

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.lowend.party

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.lowend.party

(rest snipped)

现在看一下/etc/nginx/sites-available/www.lowend.party：
server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/www.lowend.party/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.lowend.party/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
  if ($host = www.lowend.party) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  server_name www.lowend.party;
  listen 80;
  return 404; # managed by Certbot

certbot已执行以下操作：
为www.lowend.party提供了SSL认证

在/ etc /中加载了SSL配置

更新了/etc/nginx/sites-available/www.lowend.party，并放置了适当的nginx规则来提供HTTPS服务

还添加了一个条目，以便如果您在http上连接，它将重定向到https

在我的浏览器中转到http://www.lowend.party确认一切正常。