Web进行安全通信依赖于HTTPS,这需要使用数字证书,以便浏览器验证Web服务器的身份(比如说,google.com是真的吗?) Web服务器从证书颁发机构(CA可信第三方)获取其证书以验证域名真实性。 Certbot是一个易于使用的客户端,它由EFF,Mozilla和开源组织发起。可以从Let's Encrypt(一个开放的证书颁发机构)获取证书,并将其部署到Web服务器

在本教程中我们将讨论如何使用Certbot工具为自己的HTTP服务器,站点配置HTTPS的SSL证书

前提条件

  • 需要确认登录到服务器的用户有sudo的权限
  • 需要有线上服务器,可以是vps等独立主机
  • 一个可指向你服务器域名,比如在这个示例将使用www.myfreax.com
  • 可通过域名的方式访问你的HTTP服务

如果你还没有安装HTTP服务器,可以参考此教程安装Nginx服务器在ubuntu上

使用SSH登录到你的服务器

登录到服务器后整个过程都是root的操作,建议谨慎使用rm命令,在终端键入以下命令登录到服务器

sudo ssh myfreax@your-remote-server-ip

上面命令中会要求你输入myfreax用户的密码,才能登录到web服务器,输出如下所示

myfreax@your-remote-server-ip's password: 

如果你已设置密钥登录则不需要输入密码即可登录

如果你或者服务器提供商已更改SSH的默认端口22为其它端口请使用-p选项指定端口,例如改成23333端口,则在终端键入以下命令

ssh -p '23333' myfreax@your-remote-server-ip 

添加CertBot PPA/第三方镜像

Ubuntu/Debian

在Ubuntu官方的默认镜像中并不包含Certbot的软件包,我们需要将Certbot的PPA添加到自己仓库中,在终端中键入以下命令配置CertBot PPA

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Fedora/CentOS7/RedHat7

由于发行版的软件包管理器的不同,要在Feaora/CentOS7/RedHat7安装CertBot则需要开启EPEL仓库镜像

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

安装CertBot

在服务器领域中又常用的服务器有分为Apache和Nginx,请根据自己所使用服务器进行安装

Ubuntu/Debian

在终端中键入以下命令安装CertBot软件包

Nginx

sudo apt-get install certbot python-certbot-nginx

Apache

sudo apt-get install certbot python-certbot-apache

Fedora/CentOS7/RedHat7

Nginx

sudo yum install certbot python2-certbot-nginx

Apache

sudo yum install certbot python2-certbot-apache

配置SSL证书

配置SSL证书非常简单,运行以下命令获取证书并让Certbot自动编辑您的Nginx配置,只需一步就可以启用HTTPS SSL的证书

sudo certbot --nginx -d www.myfreax.com

如果你使用的Apache作为HTTP的服务,请使用以下命令,Certbot也将会自动编辑你的Apache配置,以启用HTTPS SSL证书

sudo certbot  --apache -d www.myfreax.com

如果是首次运行CertBot获取SSL证书,它将会询问你的电子邮件,输入一个你常用的邮件地址,它会在到期之前通知你,同意CertBot协议,是否将HTTP重定向到HTTPS,CertBot获取证书输出内容如下所示

sudo certbot  --nginx -d www.myfreax.com
sudo certbot  --nginx -d www.myfreax.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 输入你的电子邮件
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a 同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y 询问是否需要接收提醒邮件
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.myfreax.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /etc/nginx/conf.d/default.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 询问是否要重定向http的连接,选择2重定向
No matching insecure server blocks listening on port 80 found.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.myfreax.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.myfreax.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.myfreax.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.myfreax.com/privkey.pem
   Your cert will expire on 2019-10-31. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

使用Certbot自动定期更新SSL证书

Let's Encrypt的SSL证书会在3个月到期,因此你可能需要手动续订,但Certbot软件包附带一个cron任务和systemd计时器,它将在证书过期之前进行自动续订,以简化我们的工作。 除非你更改配置,否则无需再次手动运行Certbot。 您可以通过运行以下命令来测试证书的自动续订:

Ubuntu/Debian

sudo certbot renew --dry-run

这个命令将会修改或者添加文件到以下目录

/etc/crontab/  #定时任务
/etc/cron.*/*
systemctl list-timers

Fedora/CentOS7/RedHat7

以下命令将会添加一个定时任务在Fedora/CentOS7/RedHat7

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null

确认HTTPS的SSL证书

要确认您的网站设置正确,请在浏览器中访问https://www.myfreax.com/,然后在网址栏中查找到锁图标

至此,你已了解如何为自己域名添加HTTPS SSL证书。如果你喜欢我们的内容可以选择在下方二维码中捐赠我们,或者点击广告予以支持,感谢你的支持

如果你喜欢我们的内容可以选择在下方二维码中捐赠我们,或者点击广告予以支持,感谢你的支持