HTTPS com Certbot para Nginx no Amazon Linux

Veja como você pode configurar o Certbot para Nginx no Amazon Linux.

Crie uma instância EC2 na AWS

Certifique-se de que as portas 443 (SSL) e 22 (SSH) estejam abertas. Nestas dicas, vamos supor que optamos por usar o Amazon Linux.

Instale o Certbot

$ ssh -i ~/.ssh/my-aws.pem ec2-user@52.193.111.xxx
$ curl
-O https://dl.eff.org/certbot-auto
$ chmod
+x certbot-auto
$ sudo mv certbot
-auto /usr/local/bin/certbot-auto

Instale o Nginx

$ sudo yum install nginx -y

(Nginx must be stopped during Certbot installation)
$ sudo service nginx stop

Configure seu domínio para apontar para a instância EC2

Você pode fazer isso com Route53 ou qualquer outro registrador de domínio.

Execute o Certbot

ec2-userno Amazon Linux define /usr/local/bincomo parte de, $PATHentão, vamos simplesmente executar o seguinte comando:

(become a root user)
$ sudo su
-

(Amazon Linux support is currently experimental, so don't forget to add "--debug" option. This will update the script itself when you run it for the first time)
# certbot-auto certonly --standalone -d example.com


(You'
ll be asked to enter your email address)

(Finally, you'll get a message like following)

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will

expire on 2016-mm-dd. To obtain a new version of the certificate in

the future, simply run Certbot again.

- If you like Certbot, please consider supporting our work by:


Donating to ISRG / Let'
s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Modificar a configuração do Nginx

Supondo que os comandos a seguir sejam executados como root.

# cd /etc/nginx/
# cp nginx.conf nginx.conf.org

(Modify nginx.conf)
# vi nginx.conf

(The diff will be followings)
# diff nginx.conf nginx.conf.org
85,89c85,117
< server {
< listen 443 ssl;
< listen [::]:443 ssl;
< server_name localhost;
< root /usr/share/nginx/html;
---
> # Settings for a TLS enabled server.
> #
> # server {
> # listen 443 ssl;
> # listen [::]:443 ssl;
> # server_name localhost;
> # root /usr/share/nginx/html;
> #
> # ssl_certificate "/etc/pki/nginx/server.crt";
> # ssl_certificate_key "/etc/pki/nginx/private/server.key";
> # # It is *strongly* recommended to generate unique DH parameters
> # # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
> # #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
> # ssl_session_cache shared:SSL:1m;
> # ssl_session_timeout 10m;
> # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> # ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
> # ssl_prefer_server_ciphers on;
> #
> # # Load configuration files for the default server block.
> # include /etc/nginx/default.d/*.conf;
> #
> # location / {
> # }
> #
> # error_page 404 /404.html;
> # location = /40x.html {
> # }
> #
> # error_page 500 502 503 504 /50x.html;
> # location = /50x.html {
> # }
> # }
91,115d118
< ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
< ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
< # It is *strongly* recommended to generate unique DH parameters
< # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
< #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
< ssl_session_cache shared:SSL:1m;
< ssl_session_timeout 10m;
< ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
< ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
< ssl_prefer_server_ciphers on;
<
< # Load configuration files for the default server block.
< include /etc/nginx/default.d/*.conf;
<

< location / {

< }

<

< error_page 404 /404.html;

< location = /40x.html {

< }

<

< error_page 500 502 503 504 /50x.html;

< location = /50x.html {

< }

< }

Vamos reiniciar o nginx após a mudança:

# service nginx start

HTTPS já está disponível!

Vamos abrir https://example.com e verificar se está realmente funcionando!