kakunasa's Blog
open main menu
blog-placeholder
Part of series: building-blog-with-astro

建站小记 - 虽然没什么必要但还是给域名加上https

/ 8 min read

建站小记: 设置个人博客域名并配置 SSL 证书

开始之前

确保购买了虚拟私人服务器(VPS)以及域名, 并且已经添加A记录将域名映射到VPS的 IPv4 地址. blog placeholder-1 VPS的配置如下:

    
> neofetch
            .-/+oossssoo+/-.               root@kakuvps
        `:+ssssssssssssssssss+:`           ------------
      -+ssssssssssssssssssyyssss+-         OS: Ubuntu 22.04.4 LTS x86_64
    .ossssssssssssssssssdMMMNysssso.       Host: VHP pc-q35-7.2
   /ssssssssssshdmmNNmmyNMMMMhssssss/      Kernel: 5.15.0-97-generic
  +ssssssssshmydMMMMMMMNddddyssssssss+     Uptime: 61 days, 13 hours, 58 mins
 /sssssssshNMMMyhhyyyyhmNMMMNhssssssss/    Packages: 908 (dpkg), 5 (snap)
.ssssssssdMMMNhsssssssssshNMMMdssssssss.   Shell: zsh 5.8.1
+sssshhhyNMMNyssssssssssssyNMMMysssssss+   Resolution: 1280x800
ossyNMMMNyMMhsssssssssssssshmmmhssssssso   Terminal: /dev/pts/0
ossyNMMMNyMMhsssssssssssssshmmmhssssssso   CPU: AMD EPYC-Rome (1) @ 1.996GHz
+sssshhhyNMMNyssssssssssssyNMMMysssssss+   GPU: 00:01.0 Vendor 1234 Device 1111
.ssssssssdMMMNhsssssssssshNMMMdssssssss.   Memory: 272MiB / 1958MiB
 /sssssssshNMMMyhhyyyyhdNMMMNhssssssss/
  +sssssssssdmydMMMMMMMMddddyssssssss+
   /ssssssssssshdmNNNNmyNMMMMhssssss/
    .ossssssssssssssssssdMMMNysssso.
      -+sssssssssssssssssyyyssss+-
        `:+ssssssssssssssssss+:`
            .-/+oossssoo+/-.

我使用的VPS是在Vultr上购买的, 选择了Ubuntu 22.04系统, 1核CPU, 2GB内存, 25GB硬盘, 3TB流量; 域名是在Onamae上购买的, 选择了一个免费的.blog域名, 并且添加了A记录将域名映射到VPS的IPv4地址.(Onamae是日本的域名注册和网络托管服务提供商, UI设计老旧, 用户体验较差, 更推荐使用Cloudflare,GoDaddy或者Namecheap, 他们提供了更好的域名管理界面和更丰富的域名服务. 当然, 如果财力雄厚也可以在AWS上购买VPC,Route53,EC2等服务)

配置SSL证书

我使用 Let’s Encrypt CA 生成和管理 SSL/TLS 证书. 它可以自动处理证书的申请,安装和续期, 并且是免费的. 以下是使用 Certbot 来免费获取和续期证书的基本步骤:

安装 Certbot

Certbot 的安装步骤因操作系统而异. 下面是在 Ubuntu22.04 上的安装指令

> sudo apt update
> sudo apt install snapd  # Snap 是项目方推荐的现代软件平台, 用来安装和管理Certbot
> sudo snap install --classic certbot
> sudo ln -s /snap/bin/certbot /usr/bin/certbot  # 将 Certbot 的执行链接到标准路径中, 确保可以直接运行它

安装 Nginx

如果还没有安装 Nginx, 可以通过以下命令安装:

> sudo apt install nginx
> sudo systemctl start nginx
> sudo ufw allow 80  # 一定要开启该端口, Let's Encrypt 在验证域控制权时需要访问80端口

使用 Certbot 配置 SSL 证书

Certbot 提供了一个 Nginx 插件, 可以自动配置 Nginx 服务器以使用 SSL 证书.

> sudo certbot --nginx

按照提示输入你的域名, 如 kakunasa.blog, Certbot 将自动验证域名的所有权,获取证书, 并配置 Nginx 以使用这些证书. 如果配置成功, 你将看到类似如下的输出:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): kakunasa.blog
Requesting a certificate for kakunasa.blog

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/kakunasa.blog/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/kakunasa.blog/privkey.pem
This certificate expires on 2024-08-05.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for kakunasa.blog to /etc/nginx/sites-enabled/default
Congratulations! You have successfully enabled HTTPS on https://kakunasa.blog

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

如果查看 Nginx 配置文件, 会发现 Certbot 已经自动配置了 SSL 证书和访问 80 端口的重定向:

👉🏻 Https服务配置块的 root /apps/kakunasaBlog/dist; 的修改为配置新站点目录, 参考 建站小记 - 1.

# Default server block
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;  # Keep as is or point to a generic landing if needed
    index index.html index.htm index.nginx-debian.html;
    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }
}

# Server block for kakunasa.blog with SSL configuration
server {
    root /apps/kakunasaBlog/dist;  # Update to point to the new site directory
    index index.html index.htm;  # Simplify the index files

    server_name kakunasa.blog;

    location / {
        try_files $uri $uri/ /index.html;  # Update to correctly handle SPA fallback
    }

    listen [::]:443 ssl ipv6only=on;  # managed by Certbot
    listen 443 ssl;  # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/kakunasa.blog/fullchain.pem;  # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/kakunasa.blog/privkey.pem;  # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf;  # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;  # managed by Certbot
}

# HTTP to HTTPS redirect
server {
    if ($host = kakunasa.blog) {
        return 301 https://$host$request_uri;
    }  # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name kakunasa.blog;
    return 404;  # managed by Certbot
}

最后如果直接访问你的域名, 会看到已经成功配置了 SSL 证书的Nginx默认网站.

blog placeholder-2

踩坑记录

执行 Certbot 配置 SSL 证书命令前未安装 Nginx

> sudo certbot certonly --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.")
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

这个错误表明 Certbot 无法找到 Nginx 的可执行文件. 这是因为 Nginx 没有正确安装在系统上,或者环境变量 PATH 没有正确设置以包含 Nginx 的安装路径 在执行 Certbot 配置 SSL 证书命令前需要确认 Nginx 是否已在系统上安装, 通过在终端运行以下命令来检查:

> nginx -v

nginx version: nginx/1.18.0 (Ubuntu)

执行 Certbot 配置 SSL 证书命令前未开启 80 端口或未将域名映射到VPS的 IPv4 地址

可以按照提示输入域名, 但是 Certbot 在自动验证域名的所有权,获取证书阶段会失败, 并且提示如下错误:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: kakunasa.blog
  Type:   connection
  Detail: ***.***.***.***: Fetching http://kakunasa.blog/.well-known/acme-challenge/*********************************: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

当遇到这种情况时, 它通常指示服务器配置或网络设置存在问题, 导致 Let’s Encrypt 的验证服务器无法访问你的服务器来确认域的控制权.

  • 检查 DNS 设置 确保域名 kakunasa.blog 的 DNS 记录正确地指向了你的服务器的公网 IP 地址, 可以使用 dig 命令来检查:
> dig kakunasa.blog

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> kakunasa.blog
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44042
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;kakunasa.blog.                 IN      A

;; ANSWER SECTION:
kakunasa.blog.          3600    IN      A       ***.***.***.***  <= 此处应该显示服务器的公网 IP 地址

;; Query time: 80 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon May 13 09:28:06 UTC 2024
;; MSG SIZE  rcvd: 58
  • 检查防火墙设置 确认服务器的防火墙(或任何中间的网络设备)允许从外部访问 HTTP (80) 端口. 因为 Let’s Encrypt 在验证域控制权时需要访问该端口.
> sudo ufw allow 80