那年那日那朵花

".......(o´ω`o)......"

给站点升级为https

2018-07-24 10:55 linux

引子

之前本站一直是用http的，最近想改进用https，所以在网上找了下资料，发现可以通过letsencrypt免费申请到证书，所以就试了下，现在把相关操作的步骤与信息记录下来。

安装Certbot-Auto

官方地址是这 https://certbot.eff.org/docs/install.html,可以照着下面的几行命令安装。

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help 执行一下我记得会提示yum安装好多包，但是它有个参数是通过虚拟环境安装的，具体参数不记得了。

校验网站和证书申请

然后就是校验你的网站身份了，需要注意的是必须能够通过互联网访问到网站的/.well-known/acme-challenge/XXXXXXX-XXXXX这个url才可以。letsencrypt会访问该url来证明该网站是属于你的。
例如假设是我的网站的话，要能访问到http://niubidian.top/.well-known/acme-challenge/XXXXX-XXXXX这个url来使得letsencrypt校验我网站的合法性。
可以在原先的nginx中这样配置

location /.well-known {
    root /home/hu/well-known/;
}

然后创建目录

mkdir /home/hu/well-known/

开始网站校验与证书申请

[root@iZ940yncjk5Z ~]# ./certbot-auto certonly --webroot -w /home/hu/well-known -d niubidian.top 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for niubidian.top
Using the webroot path /home/hu/well-known for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/niubidian.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/niubidian.top/privkey.pem
   Your cert will expire on 2018-10-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

看到上面的信息就证明以及ok了，有效期是90天，它会在我们的/etc/letsencrypt/live/目录下创建网站域名的目录，里面就是我们的证书文件，可以先看看里面的README文件。

privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used without reading further documentation (see link below).

实施

接下来就可以具体实施了，可以在nginx的配置文件中这样配置

server {
    listen 80;
    server_name niubidian.top;
    return 301 https://$host$request_uri$is_args$args;
}
server {
    listen 443;
    root /home/hu/well-known/;
    server_name niubidian.top;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/niubidian.top/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/niubidian.top/privkey.pem;
    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA3
84:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDH
E-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-
AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-S
HA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";。。。。。。。。。。。。。。接下来的不贴出来了

最后就可以试一下网站流量了，看了下效果有报错

Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.

那这个是因为页面中有引用非https的链接，这个就接下来再调整下了，整体网站https效果已经好了。

证书更新

由于证书只有90天有效期。故需要做定时的更新操作可以在crontab里面添加

0 0 1,15 */2 *    /root/certbot-auto renew --quiet --no-self-upgrade  ; nginx -s reload

也可以使用命令

./certbot-auto  renew --dry-run

先看下效果并不真正更新

Cloudhu 个人随笔|built by django|