我用的是 Let’s Encrypt这个免费的解决方案。Let’s Encrypt 是一个于2015年推出的数字证书认证机构,将通过旨在消除当前手动创建和安装证书的复杂过程的自动化流程,为安全网站提供免费的SSL/TLS证书。
为网站来安装一个证书十分简单,只需要使用 Let’s Encrypt 的 Certbot,就可以完成。
-
首先,打开 https://certbot.eff.org 网页。
-
在那个机器上图标下面,你需要选择一下你用的 Web 接入软件 和你的 操作系统。比如,我选的,nginx 和 centos7
-
然后就会跳转到一个安装教程网页。你就照着做一遍就好了。
这里将所用的命令整理如下:
# 安装certbot
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
# 配置证书
sudo /usr/local/bin/certbot-auto --nginx
# 由于证书会过期,因此需要定期更新
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null
运行sudo /usr/local/bin/certbot-auto --nginx命令时,会有一些选项需要配置,命令运行过程如下:
# sudo /usr/local/bin/certbot-auto --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: fangchengyan.com
2: www.fangchengyan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
这里会把nginx下的所有域名都列出来,需要由你来选择为哪个域名申请https证书, 我选择了1,然后继续往下走:
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fangchengyan.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/fangchengyan.com.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
由于我在fangchengyan.com.conf文件中配置了两个域名:
server_name www.fangchengyan.com fangchengyan.com;
因此这里会询问如果访问的是www.fangchengyan.com,是否要跳转到fangchengyan.com,这里我选择了2,表示跳转,enter键继续:
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/fangchengyan.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://fangchengyan.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=fangchengyan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fangchengyan.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fangchengyan.com/privkey.pem
Your cert will expire on 2020-03-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
到这里,就表示配置成功了,使用https访问,终于无不安全的标记了。