Debian LNMP如何使用Let's Encrypt

Prerequisites
Ensure your Debian system has LNMP (Linux + Nginx + MySQL + PHP) installed and running. If not, deploy LNMP using the official guide or package manager (e.g., sudo apt install nginx mysql-server php-fpm). Verify Nginx is active with sudo systemctl status nginx and MySQL is running with sudo systemctl status mysql. Confirm your domain (e.g., example.com) resolves to your server’s public IP via DNS settings.

Step 1: Install Certbot and Nginx Plugin
Certbot is Let’s Encrypt’s official client for automated certificate management. Install it along with the Nginx plugin to simplify integration:

sudo apt update
sudo apt install certbot python3-certbot-nginx

This installs Certbot and the necessary tools to configure Nginx automatically.

Step 2: Obtain and Configure SSL Certificate
Run Certbot with the --nginx flag to handle certificate issuance and Nginx configuration:

sudo certbot --nginx -d example.com -d www.example.com

Replace example.com and www.example.com with your actual domain(s). Certbot will prompt you for:

• An email address (for renewal reminders and security notices).
• Agreement to Let’s Encrypt’s terms of service.
• Whether to redirect HTTP traffic (port 80) to HTTPS (port 443) automatically (recommended for security).

Certbot completes these actions:

• Downloads certificates to /etc/letsencrypt/live/example.com/ (includes fullchain.pem for public keys and privkey.pem for private keys).
• Modifies your Nginx site configuration to enable HTTPS (443 port), enforce HTTP-to-HTTPS redirects, and reference the certificate paths.
• Restarts Nginx to apply changes.

Step 3: Verify Nginx Configuration
Before reloading Nginx, check for syntax errors to avoid downtime:

sudo nginx -t

If the output shows syntax is ok and test is successful, proceed. If errors occur, review the Nginx error log (/var/log/nginx/error.log) and fix issues (e.g., typos in certificate paths).

Step 4: Restart Nginx to Apply Changes
Reload Nginx to activate the new HTTPS configuration without dropping existing connections:

sudo systemctl reload nginx

Alternatively, use sudo systemctl restart nginx to fully restart the service (may briefly interrupt traffic).

Step 5: Test HTTPS Access
Open a browser and navigate to https://example.com. You should see a padlock icon in the address bar, indicating a valid HTTPS connection. Use online tools like SSL Labs’ SSL Test to verify certificate details (e.g., expiration date, encryption protocols).

Step 6: Set Up Automatic Renewal
Let’s Encrypt certificates are valid for 90 days. Certbot automatically creates a cron job or systemd timer to renew certificates before expiration. To test the renewal process (without actually renewing), run:

sudo certbot renew --dry-run

If the test succeeds, Certbot will handle future renewals automatically. No manual intervention is required unless the test fails (e.g., due to DNS changes or network issues).

Optional: Manual Nginx SSL Configuration
If you prefer customizing SSL settings (e.g., enabling HTTP/2, adjusting cipher suites), edit your Nginx site configuration (typically at /etc/nginx/sites-available/example.com). Replace the default HTTPS block with this optimized template:

server {
    
    listen 80;
    
    server_name example.com www.example.com;
    
    return 301 https://$host$request_uri;
 # Force HTTP to HTTPS
}


server {
    
    listen 443 ssl http2;
     # Enable HTTP/2 for better performance
    server_name example.com www.example.com;
    

    # SSL Certificate Paths
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    

    # Optimized SSL Settings (from Let's Encrypt)
    include /etc/letsencrypt/options-ssl-nginx.conf;
    
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    

    # Website Root and PHP Handling
    root /var/www/example.com;
    
    index index.php index.html index.htm;


    location / {
    
        try_files $uri $uri/ =404;
 # Handle static files
    }


    location ~ \.php$ {
    
        include snippets/fastcgi-php.conf;
     # PHP-FPM integration
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
     # Adjust PHP version if needed
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    
        include fastcgi_params;

    }


    # Security: Deny access to .htaccess files
    location ~ /\.ht {
    
        deny all;

    }

}
    

After editing, test the configuration (sudo nginx -t) and reload Nginx (sudo systemctl reload nginx).

Troubleshooting Tips

• Certificate Not Issued: Ensure your domain resolves to the server’s IP and ports 80/443 are open in your firewall (e.g., sudo ufw allow 'Nginx Full').
• Nginx Syntax Errors: Check the error log (/var/log/nginx/error.log) for details and fix typos in the configuration file.
• Renewal Failures: Run sudo certbot renew --dry-run to diagnose issues. Common causes include expired domains or changed DNS records.

声明：本文内容由网友自发贡献，本站不承担相应法律责任。对本内容有异议或投诉，请联系2913721942#qq.com核实处理，我们将尽快回复您，谢谢合作！