[建站基础系列] 08. 常用配置之基于Let'sEncrypt免费SSL证书开启HTTPS服务

上文介绍了采用阿里云的SSL服务搭建HTTPS网站,本文对比介绍Let's Encrypt的免费服务。

Let's Encrypt介绍

Let's Encrypt是2016年4月上线的提供X.509证书的免费CA,且已经获得Mozilla、微软等主要浏览器厂商的根授信。Let's Encrypt极大低降低DV证书的入门门槛,进而推进全网的HTTPS化,其实际发放的证书远不如它象征的意义大。Let's Encrypt官网:https://letsencrypt.org/

安装Let's Encrypt证书

这里假设我们的服务环境是Ubuntu16.0 + Nginx,并且已经成功安装了typecho,并且配置好了域名解析,也就是说,通过http方式访问网站,网站已经可以正常提供服务。

首先,安装let's Encrypt工具certbot:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx 

注意,请逐行运行,不要直接全部复制过去执行。

安装过程中可能会出现需要你确认的选项,按回车确认即可。

然后,使用certbot --nginx申请并安装证书。这个过程非常人性化,按照工具引导一步一步操作即可。过程示例如下:

root@iZ28m17yr8oZ:/# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): ****@qq.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: 3w.typechodev.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for 3w.typechodev.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/typechodev.com for set(['3w.typechodev.com'])

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/typechodev.com

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://3w.typechodev.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=3w.typechodev.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/3w.typechodev.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/3w.typechodev.com/privkey.pem
   Your cert will expire on 2018-02-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

自此,SSL证书已经自动按照完成,接下来我们简单验证一下:

[建站基础系列] 08. 常用配置之基于Let'sEncrypt免费SSL证书开启HTTPS服务

可以看到,https验证通过。

续签HTTPS证书

上文验证ssl时已经注意到,Let'sEncrypt的证书有效期是3个月,因此将近到期的时候需要进行续签,否则ssl证书会失效。

续签ssl证书也非常简单,简单执行如下命令即可:

certbot renew

当然,我们也可以将此命令添加到crontab中,每天执行一次,这样就不用担心https证书会因自己疏忽忘记续签而过期了

Let's Encrypt的不足

Let's Encrypt使用起来非常方便,但同时,因为Let's Encrypt成立时间还不长(2016年4月才成立),所以Let's Encrypt所签发的证书在部分平台上还没有完成授信,譬如Jre1.7部分版本,或者python2.6部分版本。如果网站使用了Let's Encrypt证书,但客户端运行在JRE1.7或者Python2.6上,可能会导致客户端报证书错误。

使用阿里云还是使用Let'sEncrypt,各位同学自己取舍哈。如果你希望使用阿里云企业版的SSL(安全性更高,适用性更广),这里有个幸运券,可能会有一定比例的优惠:传送门>>

小结

相对于阿里云的免费ssl,Let's Encrypt使用起来非常简单,无需人工过多干涉就能够网站签发和续签等相关操作,因此Let's Encrypt的确非常适合我们小站长或者博主。


版权声明:未经书面授权禁止转载、摘编、复制或建立镜像。对既成事实本站将保留所有的权利。

typecho安全httpsssl免费证书 @TypechoDev let's encrypt, 免费ssl证书, 免费https,

评论已关闭