免费的HTTPS证书-Let's Encrypt
SSL证书,网站与用户间的传输加密,也就是https。其实就个人博客来说,不登录,基本也没啥敏感信息,加密与否影响不大。但是,加密毕竟是大势所趋,且浏览器对于为加密的网站会显著标注出来,客观上影响体验了,加上浏览器加大了https的权重,最关键的是,有免费的SSL证书可供使用,为什么不加上呢? Let's Encrypt是一个免费、自动化、开放的证书签发服务,Mozilla是其牵头方之一。优点是免费,部署方便,缺点是有效期较短,只有90天,不过有工具可以实现自动延期。
[更新]新的安装方式
Let's Encrypt 已经升级安装方式,Ubuntu上推荐使用snap安装。
安装snap
安装后测试下安装的状态,安装hello-world过程中会安装snapd core: 更新snap:卸载之前安装的Certbot
安装certbot
建立软链,一般在任何位置直接输入snap就能使用命令
验证下certbot的安装状态
安装证书
通过验证DNS的方式来手动获取证书,能实现通配符域名。注意
为了保证zimohan.com也能适配,域名的位置必须将zimohan.com也添加到域名的位置,否则仅仅是*.zimohan.com的证书,zimohan.com是不能使用的。
部署SSL证书
根据官网的描述,部分SSL证书推荐使用Certbot ACME client自动化工具来部署。打开该网站,选择所使用的web程序及操作系统后,下面将显示具体的操作步骤,还是很方便的。根据我的具体情况,我选择的Nginx及ubuntu1804。 依次执行下面的命令来完成该工具的安装:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: zimohan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
可以看到地址栏的左侧多了个锁的标识。
添加自动更新
Let's Encrypt证书的有效期只有90天,时间很短,如果手动更新的话,一来麻烦,二来容易忘记导致过期。所以还是配置上自动更新吧。
能看到以下字样,表示自动更新OK。Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/zimohan.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
申请泛域名证书
如果启用了多个二级域名,按照上面的教程需要一个个的来申请,相当耗时。 Let's Encrypt已经支持泛域名,一次申请,对所有二级域名都有效。在部署完成Certbot ACME client后,使用如下命令开始:
以上是手动交互模式,每一步需要我们自己确认或者输入。以下是我申请证书的过程,部分地方做了注释,请参考执行。Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): zimo@gmail.com #输入邮箱地址
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a #到上面的地址阅读协议,同意输入a,不同意输入c。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y #这个大概是,是否运行使用你的Email地址来做一些营销吧。
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.zimohan.com zimohan.com
#输入域名,注意,泛域名使用星号。如果想同时使得顶级域名也有效,还需要输入顶级域名,
#多个域名间使用逗号或者空格分开。
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zimohan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y #输入y同意
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zimohan.com with the following value:
pbBlB_duALJRTrtxRV8Kpw1YTfMpEQZhHr3kiBMQZE0
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 以上是提示到给域名做一个txt解析,以便确认你对域名的拥有权限。
# 添加一个“_acme-challenge”前缀的txt记录,值是“pbBlB_duALJRTrtxRV8Kpw1YTfMpEQZhHr3kiBMQZE0”。
# 解析成功后按回车开始验证。
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/zimohan.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/zimohan.com/privkey.pem #相应的两个证书的保持路径,牢记。
Your cert will expire on 2020-05-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal. #相应的账号信息的保存路径,建议你整体打包保存好。
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
泛域名自动更新时可能会遇到的问题
我这之前成功部署了泛域名证书之后,但是删除了txt记录,导致后面自动更新时报错:
Attempting to renew cert (zimohan.com) from /etc/letsencrypt/renewal/zimohan.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn''t close to expiry.
(ref: /etc/letsencrypt/renewal/zimohan.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for zimohan.com
http-01 challenge for zimohan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zimohan.com with the following value:
gVXsZ7voD89gY7OlNQuvkBFqFbh1LTD7TLQOisfyy48 # 设置一个txt解析记录。
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
pKLGMZht6XwaqkobmHoFDKs8bQv_Yv3jUb6pUxbbieU.bdXEHzqkOxyryct5XvGFeY6KinZrKzAWP-192kQJioc
And make it available on your web server at this URL:
http://zimohan.com/.well-known/acme-challenge/pKLGMZht6XwaqkobmHoFDKs8bQv_Yv3jUb6pUxbbieU
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)
# 在网站上新建一个文件,并输入内容。 此处应特别注意路径。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/zimohan.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/zimohan.com/privkey.pem
Your cert will expire on 2020-07-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let''s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le