# Nginx使用Namecheap SSL Env: Vps: Gce , Ubuntu 16.04 ,Docker DNS,SSL: [Namecheap](https://www.namecheap.com/) DNS代管: [Cloudflare](https://www.cloudflare.com/) ## Step 1. SSL 在[Namecheap](https://www.namecheap.com/)購買SSL完畢後,在Product List可以看到購買的SSL **(已經啟動所以這邊是空的)** <img src="https://i.imgur.com/e4IlLIp.png?2" title="source: imgur.com" /> 按Manage後會進入 <img src="https://i.imgur.com/alkBQia.png?2" title="source: imgur.com" /> --- ## Step 2. 生成Csr與Key 開啟你的機器輸入 ```shell= openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr Generating a 2048 bit RSA private key ``` 按照提示進行填寫 ```shell= Enter the following details using English alphanumeric symbols only: Country Name: TW State or Province Name: NA Locality Name (city): $city Organization Name: NA Organizational Unit Name: NA Common Name: $domain Email address: $mail ``` :::info “A challenge password” and “An optional company name” 直接Enter ::: 看目錄就會生成 **server.csr** and **server.key** ```shell= cat server.csr ``` 複製以下內容(**綠色框框全部複製**) :::success -----BEGIN CERTIFICATE REQUEST----- 內容 -----END CERTIFICATE REQUEST----- ::: --- 然後貼到Namecheap <img src="https://i.imgur.com/alkBQia.png?2" title="source: imgur.com" /> Web server是Nginx,所以選第二個 <img src="https://i.imgur.com/TJ0VPb3.png?2" title="source: imgur.com" /> 第三步為驗證域名,在這邊我使用dns,忘了截圖 .... 接下來按Submit <img src="https://i.imgur.com/WTw1Ori.png?2" title="source: imgur.com" /> EDIT METHODS是可以修改認證方法(mail,http,dns),按旁邊的倒三角型 <img src="https://i.imgur.com/WF4WOsM.png?3" title="source: imgur.com" /> 使用DNS驗證,它會給你HOST跟TARGET <img src="https://i.imgur.com/Ro5sVHQ.png?2" title="source: imgur.com" /> 接著開啟[Cloudflare](https://www.cloudflare.com/),進入到DNS畫面 **Type選擇 CNAME,NAME 填入HOST,Value 填入 TARGET,Add Record** <img src="https://i.imgur.com/00NnZkn.png?2" title="source: imgur.com" /> 過段時間就會傳mail跟你說認證成功了,並下載證書 ## Step 3. 安裝證書 將 **dns.ca-bundle** 跟 **dns.crt** 用ftp傳到機器上(傳家目錄才不會發生錯誤) 在來把它們合併成一個crt,跟著原先申請的server.key移到欲掛載的資料夾 ```shell= cat $example.com.crt $example.com.ca-bundle > server.crt mv server.crt server.key /opt/nginx/conf.d/certs ``` **記得看 server.crt格式有無錯誤**,用vim有錯誤順便改 ```shell= vim server.crt ``` 正確格式如下,如果還有錯,就去google吧,這方面錯誤資訊蠻多的 :::warning -----BEGIN CERTIFICATE----- 內容 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- 內容 -----END CERTIFICATE----- ::: 修改Nginx配置文件 /opt/nginx/conf.d/default.conf ```shell= server { #listen 80; listen 443 ssl; listen [::]:443 ssl; ssl on; ssl_certificate /etc/nginx/conf.d/certs/server.crt; ssl_certificate_key /etc/nginx/conf.d/certs/server.key; server_name $example.com; location / { root /usr/share/nginx/html; index index.html; } error_page 500 502 503 504 /50x.html; } server { listen 80; listen [::]:80; server_name $example.com; return 301 https://$example.com$request_uri; #強制http重導向https } ``` Docker-compose.yml ```dockerfile= version: '3' services: nginx_web: image: nginx:latest container_name: nginx_web environment: TZ: "Asia/Taipei" volumes: - ./nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf - ./conf.d:/etc/nginx/conf.d - ./log:/var/log/nginx - ./www:/usr/share/nginx/html ports: - "8000:80" - "443:443" expose: - 80 - 443 command: bash -c "nginx -g 'daemon off;'" ``` 其實[Cloudflare](https://www.cloudflare.com/)就可以幫我們掛ssl,但看到Namecheap ssl特價就手賤... :::info Flexible SSL: 部分SSL加密連線,你不必擁有SSL證書。免技術直接套用Cloudflare免費SSL。訪客連線到Cloudflare是採用加密連線,從Cloudflare到主機則不走加密連線。 訪客可以在瀏覽器看到綠色鎖頭。 Full SSL: 全程SSL加密連線,你必須擁有一個SSL證書在你的主機上,不過Cloudflare並不會檢查你的SSL證書是自己簽署或第三方公正單位發下來的。 訪客可以在瀏覽器看到綠色鎖頭。 Full SSL(Strict): 全程使用SSL加密連線,你必須擁有一個SSL證書在你網站上,而且Cloudflare會檢查你主機端的SSL證書是否為第三方公正單位簽署(不能使用自己簽署的)。 訪客可以在瀏覽器看到綠色鎖頭。 ::: 因為網站上用的是Namecheap ssl,所以要用Full SSL(Strict) <img src="https://i.imgur.com/eRAG8d3.png?1" title="source: imgur.com" /> 接下來等個一天,沒意外就成功囉 ~ **未經允許請勿轉載文章 **
Last changed by  
xeriok18600
www.linkedin.com/in/bobolee
1403
Published on HackMD