卡尼多隨筆

認識自我 • 感受世界 • 創造價值

0%

用 SSL For Free 免費申請 SSL 憑證

Posted on

簡單記錄一下我整個設定的過程!

  1. 進到 SSL For Free → 點 Create Free SSL Certificate → 註冊 or 登入
  2. 點左側 Dashboard → 下面有個 Create SSL Certificate,點右邊的 New Certificate
  3. 在 Enter Domains 的地方填你 EC2 的 Elastic IP Address → Next Step
  4. 因為是免費方案,Validity 選 90-Day Certificate → Next Step
  5. 雖然不知道那是什麼,但感覺開啟 Auto-Generate CSR 即可 → Next Step
  6. 此時會看到 Free 被 Selected → Next Step
  7. Verification Method for [Elastic IP Address] 選 HTTP File Upload → 有些步驟要跟著指示做
  8. Download Auth File → 連進你的 EC2 → 在專案 /public 底下建立 /.well-known/pki-validation/ 資料夾,指令:cd/public 以後,輸入 mkdir -p .well-known/pki-validation
  9. cd .well-known/pki-validation/ 進到裡面之後,準備把剛剛 Download Auth File 載下來的東西傳到裡面
  10. 在本地端開新的終端機介面 → 輸入 scp -i [/path/to/EC2/XXX].pem [剛載下來的].txt ec2-user@[Elastic IP Address]:~ 即可將那個檔案傳進 EC2 裡面
  11. 回到 EC2,cd ~,用 ls 一看,還真的有欸 → 移動到剛剛新建的資料夾裡面吧
    mv [剛傳進來的].txt Campus-Program01/students/[path/to]/public/.well-known/pki-validation/
  12. 在 Express 主程式,可能叫做 app.js 的當中記得加上
    app.use(express.static(path.join(__dirname, 'public')));
    前面或許還需要 var path = require('path');,這樣才能讓對方讀到那個 txt 檔
  13. 回到 SSL Certificate 申請頁面,點 Make sure your file is available under the following link 旁邊的連結,新視窗有文字檔裡面的東西代表到目前為止一切順利 → Next Step
  14. Verify Domain → 會顯示 Congratulations, your domains have been verified. This means that our system is issuing your certificate at the moment. This page will refresh automatically every few seconds. → Your certificate has been issued and is ready for installation. To continue, please follow the steps below.
  15. 選你的 Server Type,通常不是 Apache 就是 NGINX,我是 NGINX → Download Certificate (.zip) → Next Step
  16. Follow the steps below to install your certificate → 照著指示做吧!接下來我以 NGINX 為例,Apache 的設定或許也是照著指示做就能順利完成
  17. Unzip 剛剛載下來的 zip → 裡面的東西都傳到 EC2
    scp -i [/path/to/EC2/XXX].pem ca_bundle.crt certificate.crt private.key ec2-user@[Elastic IP Address]:~
  18. 回到 EC2 → 進到你剛剛傳東西進去的目錄底下 → cat certificate.crt ca_bundle.crt >> certificate.crt → 跳出 cat: certificate.crt: input file is output file 不用理它
  19. sudo mv certificate.crt private.key /etc/ssl/
  20. 輸入 history | grep nginx 看你當初是去哪設定 nginx 的,用 vim 打開來編輯吧!(我的是 sudo vim /etc/nginx/nginx.conf
  21. 下面的東西加進去!(加在哪要稍微注意一下,我 port 是 3000 所以 proxy_pass http://localhost:3000;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
server {

    listen               443 ssl http2;
    listen               [::]:443 ssl http2;
    
    
    ssl                  on;
    ssl_certificate      /etc/ssl/certificate.crt; 
    ssl_certificate_key  /etc/ssl/private.key;
    
    
    server_name  _;
    access_log   /var/log/nginx/nginx.vhost.access.log;
    error_log    /var/log/nginx/nginx.vhost.error.log;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    error_page 404 /404.html;
        location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }

}
  1. sudo service nginx restart 重啟 web server
  2. 回到最一開始 ZeroSSL 頁面 → Check Certificate → 完成!
  3. 想再確認是否真的成功?
    http://[Elastic IP Address]/你的路徑https://[Elastic IP Address]/你的路徑 都試試看吧!如果後者有個鎖頭在上面,就代表設定成功了!
    (如果後者進到的是錯誤頁面,可以看一下 /var/log/nginx/nginx.vhost.error.log 裡面寫什麼,再來一一 debug)