§2024-09-28
試作機器: nwOdroid-N2+, mail.yushei.net, Ubuntu Jammy, wildduck and jitsi-video server with nginx
- install
$ sudo apt update
$ sudo apt install certbot -y
$ sudo apt install python3-certbot-nginx -y
$ sudo apt install python3-certbot-apache -y --> for apache
- Generate Let’s Encrypt SSL using Certbot
-
Apache users:
- $ sudo certbot --apache -d yushei.net
-
Command for Nginx users:
sudo certbot --nginx -d yushei.net
$ sudo certbot --nginx -d yushei.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): rai.sousuke@mac.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for yushei.net
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yushei.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yushei.net/privkey.pem
This certificate expires on 2024-12-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Could not install certificate
NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
certbot install --cert-name yushei.net
Could not automatically find a matching server block for yushei.net. Set the `server_name` directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
fix Modify the server_name Directive:
$ cat /etc/nginx/sites-enabled/upstream-80
server {
# listen 80 http;
listen 80;
server_name yushei.net www.yushei.net; # <-- server_name localhost;
# ssl_certificate /etc/letsencrypt/live/munetaka.me/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/munetaka.me/privkey.pem;
location / {
root /usr/share/nginx/html/;
index index.html;
}
}
rerun
alexlai@mail:/etc/nginx/sites-enabled$ sudo certbot --nginx -d yushei.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/yushei.net.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Deploying certificate
Successfully deployed certificate for yushei.net to /etc/nginx/sites-enabled/upstream-80
Congratulations! You have successfully enabled HTTPS on https://yushei.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- upstream-80 , as
server {
# listen 80 http;
server_name yushei.net www.yushei.net;
# ssl_certificate /etc/letsencrypt/live/munetaka.me/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/munetaka.me/privkey.pem;
location / {
root /usr/share/nginx/html/;
index index.html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/yushei.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yushei.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = yushei.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name yushei.net www.yushei.net;
return 404; # managed by Certbot
}
> test
```bash
$ curl http://yushei.net
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
alexlai@mail:/etc/nginx/sites-enabled$ curl http://yushei.net
<html>
<head><title>301 Moved Permanently</title></head> <-- redirect
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
$ curl https://yushei.net
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
¶The output you shared indicates a couple of things about your Nginx configuration for the domain yushei.net.
-
301 Moved Permanently: When you request http://yushei.net, it returns a 301 status code, which means that the resource has been permanently moved to another URL. Typically, this would suggest that
HTTP requests are being redirected to HTTPS. If you're not seeing the redirect in the curl output, there might be an issue with the configuration orthe redirect isn't properly set up. -
HTTPS Response: When you access https://yushei.net, you receive the default Nginx welcome page. This indicates that while your Nginx server is responding to HTTPS requests, it isn't serving any specific content for yushei.net. This could mean that:
Suggested Steps to Fix:
Check Nginx Configuration:
Look for the server block for yushei.net in your Nginx configuration files (usually located in /etc/nginx/sites-available/ and symlinked in /etc/nginx/sites-enabled/). Ensure that there’s a server block for both HTTP and HTTPS, and they are configured correctly. Example of a basic configuration:
nginx Copy code server { listen 80; server_name yushei.net www.yushei.net; return 301 https://$host$request_uri; # Redirect HTTP to HTTPS }
server { listen 443 ssl; server_name yushei.net www.yushei.net;
ssl_certificate /path/to/fullchain.pem; # Adjust to your certificate path
ssl_certificate_key /path/to/privkey.pem; # Adjust to your key path
location / {
root /var/www/yushei.net; # Adjust to your web root
index index.html index.htm;
}
} Check for Content:
Ensure that your web content is located in the specified root directory (e.g., /var/www/yushei.net). If there's no index.html or other content files in that directory, you’ll continue to see the default Nginx page. Test Configuration:
After making changes, test your Nginx configuration with: bash Copy code sudo nginx -t If the test is successful, reload Nginx to apply the changes: bash Copy code sudo systemctl reload nginx Check Firewall Settings:
Ensure that your firewall is allowing traffic on both HTTP (80) and HTTPS (443). By following these steps, you should be able to correctly configure Nginx for your domain and serve your content as expected. If you encounter any errors, please share the specific error messages for further assistance!
You said: If I do not want to redirect? ChatGPT said: ChatGPT If you don't want to redirect HTTP requests to HTTPS and would like to serve both HTTP and HTTPS without redirection, you can configure your Nginx server blocks accordingly. Here's how you can do that:
Nginx Configuration Without Redirect Edit Nginx Configuration: Open your Nginx configuration file for your site, typically located in /etc/nginx/sites-available/yushei.net (and symlinked in /etc/nginx/sites-enabled/).
Set Up Both HTTP and HTTPS Server Blocks: Here’s an example configuration that serves content over both HTTP and HTTPS without any redirects:
nginx Copy code server { listen 80; server_name yushei.net www.yushei.net;
location / {
root /var/www/yushei.net; # Adjust to your web root
index index.html index.htm;
}
}
server { listen 443 ssl; server_name yushei.net www.yushei.net;
ssl_certificate /path/to/fullchain.pem; # Adjust to your certificate path
ssl_certificate_key /path/to/privkey.pem; # Adjust to your key path
location / {
root /var/www/yushei.net; # Adjust to your web root
index index.html index.htm;
}
} Steps to Implement Check Configuration:
Make sure to specify the correct paths for your SSL certificate and key in the HTTPS block. Ensure that the document root (/var/www/yushei.net) contains your content. Test Nginx Configuration: After making changes, test your Nginx configuration with:
bash Copy code sudo nginx -t Reload Nginx: If the test is successful, reload Nginx to apply the changes:
bash Copy code sudo systemctl reload nginx Result With this setup, your site will be accessible via both http://yushei.net and https://yushei.net without redirecting from one to the other. Users can choose which protocol they want to use.
Note Serving content over HTTP while also offering HTTPS can expose users to potential security risks, as data transmitted over HTTP is not encrypted. Make sure to inform users if your site is available in both formats.
$ sudo netstat -tnupl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5280 0.0.0.0:* LISTEN 1207/lua5.2
tcp 0 0 0.0.0.0:5269 0.0.0.0:* LISTEN 1207/lua5.2
tcp 0 0 0.0.0.0:5222 0.0.0.0:* LISTEN 1207/lua5.2
tcp 0 0 127.0.0.1:12081 0.0.0.0:* LISTEN 1211/zone-mta: mast
tcp 0 0 127.0.0.1:12080 0.0.0.0:* LISTEN 1211/zone-mta: mast
tcp 0 0 127.0.0.1:11333 0.0.0.0:* LISTEN 1208/rspamd: main p
tcp 0 0 127.0.0.1:11332 0.0.0.0:* LISTEN 1208/rspamd: main p
tcp 0 0 127.0.0.1:11334 0.0.0.0:* LISTEN 1208/rspamd: main p
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 95797/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 15265/sshd: /usr/sb
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 95797/nginx: master
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1120/redis-server 1
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 1211/zone-mta: mast
tcp 0 0 127.0.0.1:24 0.0.0.0:* LISTEN 95973/wildduck
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 95973/wildduck
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 95973/wildduck
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1205/mongod
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1075/systemd-resolv
tcp6 0 0 :::5280 :::* LISTEN 1207/lua5.2
tcp6 0 0 :::5269 :::* LISTEN 1207/lua5.2
tcp6 0 0 :::5222 :::* LISTEN 1207/lua5.2
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 1203/java
tcp6 0 0 ::1:6379 :::* LISTEN 1120/redis-server 1
tcp6 0 0 :::25 :::* LISTEN 1206/node
tcp6 0 0 :::22 :::* LISTEN 15265/sshd: /usr/sb
tcp6 0 0 :::8888 :::* LISTEN 1045/java
tcp6 0 0 ::1:11334 :::* LISTEN 1208/rspamd: main p
tcp6 0 0 ::1:11333 :::* LISTEN 1208/rspamd: main p
tcp6 0 0 ::1:11332 :::* LISTEN 1208/rspamd: main p
tcp6 0 0 :::3000 :::* LISTEN 19243/wildduck-www
tcp6 0 0 :::9090 :::* LISTEN 1203/java
udp 0 0 127.0.0.53:53 0.0.0.0:* 1075/systemd-resolv
udp 0 0 192.168.16.249:68 0.0.0.0:* 1032/systemd-networ
udp6 0 0 192.168.16.249:10000 :::* 1203/java