免费的HTTPS证书-Let's Encrypt

SSL证书,网站与用户间的传输加密,也就是https。其实就个人博客来说,不登录,基本也没啥敏感信息,加密与否影响不大。但是,加密毕竟是大势所趋,且浏览器对于为加密的网站会显著标注出来,客观上影响体验了,加上浏览器加大了https的权重,最关键的是,有免费的SSL证书可供使用,为什么不加上呢? Let's Encrypt是一个免费、自动化、开放的证书签发服务,Mozilla是其牵头方之一。优点是免费,部署方便,缺点是有效期较短,只有90天,不过有工具可以实现自动延期。

部署SSL证书

根据官网的描述,部分SSL证书推荐使用Certbot ACME client自动化工具来部署。打开该网站,选择所使用的web程序及操作系统后,下面将显示具体的操作步骤,还是很方便的。根据我的具体情况,我选择的Nginx及ubuntu1804。 依次执行下面的命令来完成该工具的安装:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx

启动Certbot

sudo certbot --nginx

出现以下提示,输入邮箱地址后回车。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

接着是提示阅读其使用协议,同意输入A:

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:

下面的提示,大概是是否接受其邮件的推送,Y同意,N不同意:

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

接着提示选择欲部署证书的网站,选择相应的序号,或者直接回车全部都部署。

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: zimohan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

由于我这只有zimohan.com一个,所以输入1。接着提示选择是否开启http都转发到https。选项1不转,选项2转。我这里选择都转。

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

部署完毕,现在可以试试效果了,输入https:// 加上你的域名看看效果吧。我这里是https://zimohan.com 可以看到地址栏的左侧多了个锁的标识。

添加自动更新

Let's Encrypt证书的有效期只有90天,时间很短,如果手动更新的话,一来麻烦,二来容易忘记导致过期。所以还是配置上自动更新吧。

sudo certbot renew --dry-run

能看到以下字样,表示自动更新OK。

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/zimohan.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

results matching ""

    No results matching ""

    results matching ""

      No results matching ""