Introduction

Let’s Encrypt is a new Certificate Authority(CA) that provides an easy way to obtain and installfree TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. Method to user Let’s Encrypt:

encrypt

本篇文章主要讲述怎么申请免费的 https 证书用于个人网站的平常使用。

Certbot

Generate cert

在准备生成证书之前请确保所有域名都是可以正常访问的, 即先完成 NGINX 的配置, 确保每一个需要进行 SSL 的域名都是有效的, 配置 unusebamboo.com 并不一定表示www.unusebamboo.com就可以, 需要看具体的 DNS 配置策略. 生成 cert 的命令格式如下:

1
sudo certbot certonly --webroot --webroot-path=NGINX中配置的.well-known主路径 -d 域名 -d 域名2 -d 域名3

下面是一个测试实例:

1
2
3
4
# 原创主站
sudo certbot certonly --webroot --webroot-path=/home/xinshu/https:/app.ilifediary.com -d app.ilifediary.com -d www.app.ilifediary.com
# ilifediary主站
sudo certbot certonly --webroot --webroot-path=/home/xinshu/https:/ilifediary.com -d ilifediary.com -d www.ilifediary.com

使用 nginx 插件创建, 此时不指定 webroot 路径:

1
certbot certonly --nginx --agree-tos --redirect --hsts --email unusebamboo@163.com -d mail.unusebamboo.top

使用 apache 插件创建

1
certbot certonly --apache --agree-tos --redirect --hsts --email unusebamboo@163.com -d mail.unusebamboo.top

renew

用于定时的更新 SSL 证书信息, 自动的对 https 证书进行续期操作, 避免免费的证书在 3 个月后自动过期.

命令:

1
2
3
renew           :check all certificates installed on the system and update any that are set to expire in less than thirty days
--quiet         :tells Certbot not to output information nor wait for user input
--renew-hook    :reload nginx

crontab 配置:

1
2
3
4
# 根据systemctl启动nginx
15 3 * * * /usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"
# 旧版启动nginx
15 3 * * * sudo /usr/bin/certbot renew --quiet --renew-hook "/usr/sbin/service nginx reload"

配置步骤

Prerequires

确保域名, NGINX, 权限条件都具备, 步骤如下:

  • Have an Ubuntu 16.04 server with a non-root user who has sudo privileges.
  • Own or control the registered domain name that you wish to user the certificate with. ilifediary.com and
  • www.ilifediary.com, may be only one above.
  • Be sure to create a A Record that point to your to the public IP address of your web servers.

Obtaining the Cert

确保 http 服务, 另外 certbot 服务提供商限定一个小时最多 5 次错误请求, 所以注意配置. 获取 cert, 见 2.2 节说明:

1
sudo certbot certonly --webroot --webroot-path=/home/bamboo/https:/unusebamboo.top -d unusebamboo.top -d www.unusebamboo.top

At the end, your certificate and chain have been saved at–(/etc/letsencrypt/live/unusebamboo.com/), include:

1
2
3
4
cert.pem: Your domain's certificate
chain.pem: The let's Encrypt chain certificate
fullchain.pem: cert.pem and chain.pem combined, 注意顺序: diff fullchain.pem <(cat cert.pem chain.pem)
privkey.pem: Your certificate's private key

TLS/SSL

在生成证书之后添加一个 443 服务器配置,并把证书添加, 例如

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;

    server_name  unusebamboo.top;
    root	     /home/bamboo;
    index	     index.html;

    ssl_certificate "/etc/letsencrypt/live/unusebamboo.top/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/unusebamboo.top/privkey.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers PROFILE=SYSTEM;
    ssl_prefer_server_ciphers on;
}

在完成上述配置之后测试 nginx 配置是否 OK 并重启 nginx 服务即可。

Restart nginx

1
2
3
4
5
sudo /etc/init.d/nginx configtest
# 新版
sudo systemctl restart nginx
# 旧版
sudo service nginx restart

Renew

Let’s encrypt certificates are valid for 90 days, but it’s recommended that you need renew the certificates every 60 days to allow a margin of error.

Notice that if you have a bundle of certificates with multiple domains, only the base name will be show on shown in the output,
but the renewal will be valid for all domains include in this cetificate. 下面是一个 crontab 定时任务

1
15 3 * * * /usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"

阿里云证书

上面的申请步骤有点太过于繁琐,实际上目前阿里云支持免费证书的申请,具体见阿里云官网介绍,在申请到指定域名证书之后就可以下载证书,比如 nginx 证书就包含如下两个文件:

1
2
shop.booo.top.key
shop.booo.top.pem

此时就可以在 nginx 中增加 443 ssl 的 server 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
server {
	  # 注意, 如果配置多个子域, 则default_server只能有一个
    listen       443 ssl http2 default_server;
    server_name          shop.unusebamboo.top;
    root  /data/shop;

    ssl_certificate "/data/ssl/shop.booo.top.pem";
    ssl_certificate_key "/data/ssl/shop.booo.top.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    # 注意这里
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

	  # 下面的配置同80server保持一致
}

在配置完成之后重启 nginx,此时就会发现 https 服务可以正常使用了。

参考