Let's Encrypt:用免费的 SSL 证书,让网站支持 HTTPS

2017121310020674
申请 Let’s Encrypt 提供的免费 SSL 证书,配置网站使用 HTTPS,让网站应用更安全。直接在运行网站的服务器上去申请 SSL 证书更方便一些,你也可以在一台服务器上去为在其它服务器上运行的网站申请 SSL 证书,这需要做额外的验证。操作都非常简单,不用紧张:)
我在一台 CentOS  7 服务器上申请了 Let’s Encrypt 签发的 SSL 证书,我的网站的 Web 服务器用的是 Nginx。

安装 EPEL 仓库

在 CentOS 的 EPEL 仓库里可以找到签发 Let’s Encrypt 证书用的工具。所以先安装一下这个仓库,执行:

sudo yum install epel-release -y

安装签发证书工具

用 Certbot 工具申请 Let’s Encrypt 证书,先安装一下:

sudo yum install certbot-nginx

运行 certbot 工具时报错:

ImportError: No module named 'requests.packages.urllib3'

执行下面的命令解决了上面的问题:

pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

申请证书

网站运行在申请 SSL 证书用的服务器上

你要申请 SSL 证书的主机名已经指向了申请用的服务器的 IP 地址,在服务器上用的是 Nginx Web 服务器。保证 Nginx 正在运行,并且已经配置好了 Nginx ,绑定上了要申请 SSL 证书的主机名。就是你应该在 Nginx 的配置里面,有一个配置是为要申请 SSL 证书的主机名准备的。
一开始我们在服务器上安装的 Certbot 可以自动修改指定主机名的 Nginx 配置,为主机名申请证书,下载证书,并且会自动修改 Nginx 的配置,让它支持 HTTPS。
执行:

sudo certbot --nginx

Certbot 会自动查找当前服务器上的 Nginx 里面的虚拟主机。提示:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: ninghao.co
2: ninghao.org
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

比如我的服务器上有两个 Nginx 虚拟主机,上面会提示想给哪个主机名申请 SSL 证书,输入序号选择,或留为空白直接回车选择所有。验证成功,Let’s Encrypt 就会立即给你签发 SSL 证书,并且会自动修改主机的 Nginx 配置,让它支持 HTTPS。过程中会提示:

Deployed Certificate to VirtualHost /etc/nginx/conf.d/ninghao.org.conf for set(['ninghao.org'])
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

意思是,想不想把 HTTP 的请求重定向到 HTTPS ,如果选择 Redirect,Certbot 会自动在主机的 Nginx 配置里添加重定向用的配置。成功以后会提示:

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://ninghao.org
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ninghao.org
-------------------------------------------------------------------------------
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ninghao.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ninghao.org/privkey.pem
   Your cert will expire on 2018-03-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

上面会告诉你申请的 Let’s Encrypt 证书保存的位置,一般是在:

/etc/letsencrypt/live/主机名

再打开网站的 Nginx 配置检查一下,配置里会有一些东西是 Certbot 自动添加的,配置的后面都会有注释 managed by Certbot

server {
  listen       80;
  server_name  ninghao.org;
  root         /mnt/web;
  index        index.php index.html index.htm;
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/ninghao.org/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/ninghao.org/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  if ($scheme != "https") {
    return 301 https://$host$request_uri;
  } # managed by Certbot
}

如果你只想为跟 Nginx 绑定的主机名申请证书,不想让 Certbot 修改 Nginx 的配置,可以执行:

sudo certbot --nginx certonly

网站运行在申请 SSL 证书以外的服务器上

我们在一个 CentOS 服务器上,也可以为运行在其它服务器上的网站申请 Let’s Encrypt 证书,只需要多做一步验证。
执行:

sudo certbot certonly --manual

提示让你输入想要申请证书的主机名:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): ninghao.net

继续又会提示要记录服务器的 IP 地址,是不是同意这样:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ninghao.net
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

下面要做一步验证,把一串字符放在指定的文件里,而且要用指定的路径可以访问到这个文件,这样就可以完成验证了。

Create a file containing just this data:
KIad2acPdKiF5pLpjlv4fK19PJDchhO7ClJZI_P3zbw.dfvuyqod4KGCve8xM-wotdjimoIXlfb6a4dkaSFN7LI
And make it available on your web server at this URL:
http://ninghao.net/.well-known/acme-challenge/KIad2acPdKiF5pLpjlv4fK19PJDchhO7ClJZI_P3zbw
-------------------------------------------------------------------------------
Press Enter to Continue

一切正常,验证通过就会签发证书:

Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ninghao.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ninghao.net/privkey.pem
   Your cert will expire on 2018-03-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

结语

长沙SEO霜天博客之前用的是在阿里云申请的免费的赛门铁克的证书,最近他们在做业务调整,之前申请的证书不能续约,得等到本月 17 号,不过我的证书在  14 号就过期了,所以就考虑用了 Let’s Encrypt 的证书。另外我在调试应用的时候,在 Chrome 浏览器的控制台上看到,说他们将不信任赛门铁克签发的 SSL 证书了。

发表评论