Veja como você pode configurar o Certbot para Nginx no Amazon Linux.
Crie uma instância EC2 na AWS
Certifique-se de que as portas 443 (SSL) e 22 (SSH) estejam abertas. Nestas dicas, vamos supor que optamos por usar o Amazon Linux.
Instale o Certbot
$ ssh -i ~/.ssh/my-aws.pem ec2-user@52.193.111.xxx
$ curl -O https://dl.eff.org/certbot-auto
$ chmod +x certbot-auto
$ sudo mv certbot-auto /usr/local/bin/certbot-auto
Instale o Nginx
$ sudo yum install nginx -y
(Nginx must be stopped during Certbot installation)
$ sudo service nginx stop
Configure seu domínio para apontar para a instância EC2
Você pode fazer isso com Route53 ou qualquer outro registrador de domínio.
Execute o Certbot
ec2-user
no Amazon Linux define /usr/local/bin
como parte de, $PATH
então, vamos simplesmente executar o seguinte comando:
(become a root user)
$ sudo su -
(Amazon Linux support is currently experimental, so don't forget to add "--debug" option. This will update the script itself when you run it for the first time)
# certbot-auto certonly --standalone -d example.com
(You'll be asked to enter your email address)
(Finally, you'll get a message like following)
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2016-mm-dd. To obtain a new version of the certificate in
the future, simply run Certbot again.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Modificar a configuração do Nginx
Supondo que os comandos a seguir sejam executados como root.
# cd /etc/nginx/
# cp nginx.conf nginx.conf.org
(Modify nginx.conf)
# vi nginx.conf
(The diff will be followings)
# diff nginx.conf nginx.conf.org
85,89c85,117
< server {
< listen 443 ssl;
< listen [::]:443 ssl;
< server_name localhost;
< root /usr/share/nginx/html;
---
> # Settings for a TLS enabled server.
> #
> # server {
> # listen 443 ssl;
> # listen [::]:443 ssl;
> # server_name localhost;
> # root /usr/share/nginx/html;
> #
> # ssl_certificate "/etc/pki/nginx/server.crt";
> # ssl_certificate_key "/etc/pki/nginx/private/server.key";
> # # It is *strongly* recommended to generate unique DH parameters
> # # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
> # #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
> # ssl_session_cache shared:SSL:1m;
> # ssl_session_timeout 10m;
> # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> # ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
> # ssl_prefer_server_ciphers on;
> #
> # # Load configuration files for the default server block.
> # include /etc/nginx/default.d/*.conf;
> #
> # location / {
> # }
> #
> # error_page 404 /404.html;
> # location = /40x.html {
> # }
> #
> # error_page 500 502 503 504 /50x.html;
> # location = /50x.html {
> # }
> # }
91,115d118
< ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
< ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
< # It is *strongly* recommended to generate unique DH parameters
< # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
< #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
< ssl_session_cache shared:SSL:1m;
< ssl_session_timeout 10m;
< ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
< ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
< ssl_prefer_server_ciphers on;
<
< # Load configuration files for the default server block.
< include /etc/nginx/default.d/*.conf;
<
< location / {
< }
<
< error_page 404 /404.html;
< location = /40x.html {
< }
<
< error_page 500 502 503 504 /50x.html;
< location = /50x.html {
< }
< }
Vamos reiniciar o nginx após a mudança:
# service nginx start
HTTPS já está disponível!
Vamos abrir https://example.com e verificar se está realmente funcionando!