免费的HTTPS证书-Let's Encrypt

SSL证书,网站与用户间的传输加密,也就是https。其实就个人博客来说,不登录,基本也没啥敏感信息,加密与否影响不大。但是,加密毕竟是大势所趋,且浏览器对于为加密的网站会显著标注出来,客观上影响体验了,加上浏览器加大了https的权重,最关键的是,有免费的SSL证书可供使用,为什么不加上呢? Let's Encrypt是一个免费、自动化、开放的证书签发服务,Mozilla是其牵头方之一。优点是免费,部署方便,缺点是有效期较短,只有90天,不过有工具可以实现自动延期。

部署SSL证书

根据官网的描述,部分SSL证书推荐使用Certbot ACME client自动化工具来部署。打开该网站,选择所使用的web程序及操作系统后,下面将显示具体的操作步骤,还是很方便的。根据我的具体情况,我选择的Nginx及ubuntu1804。 依次执行下面的命令来完成该工具的安装:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx 

启动Certbot

sudo certbot --nginx

出现以下提示,输入邮箱地址后回车。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

接着是提示阅读其使用协议,同意输入A:

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 

下面的提示,大概是是否接受其邮件的推送,Y同意,N不同意:

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

接着提示选择欲部署证书的网站,选择相应的序号,或者直接回车全部都部署。

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: zimohan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

由于我这只有zimohan.com一个,所以输入1。接着提示选择是否开启http都转发到https。选项1不转,选项2转。我这里选择都转。

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 

部署完毕,现在可以试试效果了,输入https:// 加上你的域名看看效果吧。我这里是https://zimohan.com 可以看到地址栏的左侧多了个锁的标识。

添加自动更新

Let's Encrypt证书的有效期只有90天,时间很短,如果手动更新的话,一来麻烦,二来容易忘记导致过期。所以还是配置上自动更新吧。

sudo certbot renew --dry-run

能看到以下字样,表示自动更新OK。

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/zimohan.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

申请泛域名证书

如果启用了多个二级域名,按照上面的教程需要一个个的来申请,相当耗时。 Let's Encrypt已经支持泛域名,一次申请,对所有二级域名都有效。在部署完成Certbot ACME client后,使用如下命令开始:

sudo certbot certonly --manual --cert-name zimohan.com

以上是手动交互模式,每一步需要我们自己确认或者输入。以下是我申请证书的过程,部分地方做了注释,请参考执行。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): zimo@gmail.com #输入邮箱地址

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a #到上面的地址阅读协议,同意输入a,不同意输入c。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y #这个大概是,是否运行使用你的Email地址来做一些营销吧。
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): *.zimohan.com zimohan.com
#输入域名,注意,泛域名使用星号。如果想同时使得顶级域名也有效,还需要输入顶级域名,  
#多个域名间使用逗号或者空格分开。
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zimohan.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y #输入y同意

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zimohan.com with the following value:

pbBlB_duALJRTrtxRV8Kpw1YTfMpEQZhHr3kiBMQZE0

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 以上是提示到给域名做一个txt解析,以便确认你对域名的拥有权限。
# 添加一个“_acme-challenge”前缀的txt记录,值是“pbBlB_duALJRTrtxRV8Kpw1YTfMpEQZhHr3kiBMQZE0”。
# 解析成功后按回车开始验证。
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zimohan.com/fullchain.pem 
   Your key file has been saved at:
   /etc/letsencrypt/live/zimohan.com/privkey.pem #相应的两个证书的保持路径,牢记。
   Your cert will expire on 2020-05-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal. #相应的账号信息的保存路径,建议你整体打包保存好。
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

泛域名自动更新时可能会遇到的问题

我这之前成功部署了泛域名证书之后,但是删除了txt记录,导致后面自动更新时报错:

Attempting to renew cert (zimohan.com) from /etc/letsencrypt/renewal/zimohan.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

于是使用如下操作来重新申请证书:

certbot certonly --manual -d 'zimohan.com,*.zimohan.com'

整个过程与先前的部署泛域名相似,记录如下:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn''t close to expiry.
(ref: /etc/letsencrypt/renewal/zimohan.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for zimohan.com
http-01 challenge for zimohan.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zimohan.com with the following value:

gVXsZ7voD89gY7OlNQuvkBFqFbh1LTD7TLQOisfyy48 # 设置一个txt解析记录。

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

pKLGMZht6XwaqkobmHoFDKs8bQv_Yv3jUb6pUxbbieU.bdXEHzqkOxyryct5XvGFeY6KinZrKzAWP-192kQJioc

And make it available on your web server at this URL:

http://zimohan.com/.well-known/acme-challenge/pKLGMZht6XwaqkobmHoFDKs8bQv_Yv3jUb6pUxbbieU

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)
# 在网站上新建一个文件,并输入内容。 此处应特别注意路径。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zimohan.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zimohan.com/privkey.pem
   Your cert will expire on 2020-07-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let''s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

最后,nginx重新载入配置文件,使新的证书生效:

nginx -s reload

更新于:2020-02-29