一、核心概念概述
HTTPS证书用于加密服务器与客户端之间的通信,提升网站安全性。在Ubuntu服务器中,常见的证书配置方式有:
– Let’s Encrypt免费证书(推荐,自动续期)
– 自签名证书(测试用,不被浏览器信任)
– 付费证书(商业用途,信任度高)
二、证书获取
2.1 Let’s Encrypt免费证书(Certbot)
安装Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx # Nginx用户
sudo apt install certbot python3-certbot-apache # Apache用户
sudo apt install certbot # 通用版
获取证书
- Nginx用户:
“`bash
sudo certbot –nginx -d example.com -d www.example.com
- Apache用户:
```bash
sudo certbot --apache -d example.com -d www.example.com
- 通用版(手动配置):
“`bash
sudo certbot certonly –standalone -d example.com -d www.example.com
### 2.2 自签名证书(测试用)
#### 生成自签名证书
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/example.key -out /etc/ssl/certs/example.crt
- 输入相关信息(国家、省份、域名等)
三、Nginx服务器配置
3.1 编辑Nginx配置文件
sudo nano /etc/nginx/sites-available/example.com
3.2 配置HTTPS(Let’s Encrypt证书)
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name example.com www.example.com;
# Let's Encrypt证书路径
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# 安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# HSTS配置(可选)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 网站根目录
root /var/www/example.com;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
3.3 测试配置并重启Nginx
sudo nginx -t # 测试配置
sudo systemctl restart nginx # 重启Nginx
四、Apache服务器配置
4.1 编辑Apache配置文件
sudo nano /etc/apache2/sites-available/example.com.conf
4.2 配置HTTPS(Let’s Encrypt证书)
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
# Let's Encrypt证书路径
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
# 安全配置
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
# HSTS配置(可选)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# 网站根目录
DocumentRoot /var/www/example.com
ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined
</VirtualHost>
4.3 启用SSL模块并重启Apache
sudo a2enmod ssl # 启用SSL模块
sudo a2ensite example.com.conf # 启用配置
sudo systemctl restart apache2 # 重启Apache
五、证书自动续期
5.1 Let’s Encrypt证书续期
Certbot默认会自动续期证书,可通过以下命令测试续期:
sudo certbot renew --dry-run # 测试续期
5.2 自签名证书续期
自签名证书需手动续期:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/example.key -out /etc/ssl/certs/example.crt
六、常见问题解答
Q1: 证书安装后无法访问HTTPS?
A: 检查防火墙是否开放443端口:
sudo ufw allow 443/tcp
sudo ufw reload
Q2: Let’s Encrypt证书续期失败?
A: 检查Certbot服务状态:
sudo systemctl status certbot.timer
sudo certbot renew # 手动续期
Q3: 自签名证书不被浏览器信任?
A: 自签名证书仅用于测试,生产环境建议使用Let’s Encrypt或付费证书。
Q4: 如何配置HSTS?
A: 在Nginx或Apache配置中添加HSTS头,如本文示例所示。
七、总结
Ubuntu服务器配置HTTPS证书的关键步骤包括:获取证书(Let’s Encrypt推荐)、配置Web服务器(Nginx/Apache)、设置证书续期。通过合理配置HTTPS,可以提升网站安全性,避免数据被窃听。
注:本文基于Ubuntu 22.04、Nginx 1.18、Apache 2.4、Certbot 1.21版本编写,具体实现可根据实际环境调整。