Maybe you see the bottom right corner on a blog, or pop-up ads from time to time. This is operator hijacking. You don't want it to be like this. At this time, the value of HTTPS can be expressed.
There are many benefits of HTTPS, but this one alone is enough for us to devote ourselves to upgrading our blog system.
1 Let's understand what is Let's Encrypt
Let's Encrypt is a certificate . If you want to enable HTTPS, we need to obtain a certificate from an authority (hereinafter referred to as CA),
and from Let's Encrypt, we can obtain a free certificate for the website domain name. 2 Introduction to Certbot Certbot is the official client recommended by Let's Encrypt to obtain certificates. It can help us automatically obtain free Let's Encrypt certificates. Certbot is an operating system that supports all Unix kernels. The examples in this article are based on CentOS 7. 3 Obtain a free certificate 3-1 Install Certbot client
$ yum install certbot # CentOS
$ apt-get update && apt-get install certbot # Ubuntu
$ apk add --no-cache certbot # 用Docker alpine:nginx构建的容器
3-2 Obtain a certificate
certbot certonly --webroot -w /var/www/html/awaimai -d awaimai.com -d www.awaimai.com
awaimai.com
and
www.awaimai.com
generate a certificate both domain names. The usage
--webroot
mode will
/var/www/awaimai
create a
.well-known
folder in.
This folder contains some verification files, and certbot will
example.com/.well-known/acme-challenge
verify whether your domain is bound to this server
by visiting . After the certificate is generated, we can view the folder corresponding to the domain name in the directory, which stores some shortcuts to the certificate. Of course, we can also specify the path to save the certificate:
/etc/letsencrypt/live/
--config-dir
certbot certonly --webroot -w /var/www/html/awaimai -d awaimai.com -d www.awaimai.com --config-dir /etc/nginx/conf.d/certs
https://certbot.eff.org/docs/using.html#configuration-file 3-3 standalone mode In most cases , this command can meet the needs. But sometimes some of our services do not have a root directory, such as some microservices. At this time, using --webroot will not work. certbot also has another mode . This mode does not need to specify the website root directory. It will automatically enable the server's port 443 to verify the domain name. We have other services such as nginx , which occupies port 443. We need to stop these services first , and then enable these services after the certificate is generated .
--standalone
certbot certonly --standalone -d example.com -d www.example.com
4 Nginx configuration to enable HTTPS
My configuration is to use the Nginx server to forward requests, here is my Nginx configuration.
server {
listen 80;
server_name www.awaimai.com awaimai.com;
rewrite ^(.*) https://www.awaimai.com$1 permanent;
}
server {
listen 443 ssl;
ssl on;
server_name www.awaimai.com;
root /var/www/html/awaimai;
index index.php;
ssl_certificate /etc/nginx/conf.d/certs/live/awaimai.com/fullchain.pem;
ssl_certificate_key /etc/nginx/conf.d/certs/live/awaimai.com/privkey.pem;
location ~ .php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /.ht {
deny all;
}
}
443
端口和启用 SSL,并配置了 SSL 的证书路径(公钥,私钥的路径),
通过这些配置,我们就可以成功启用Https了。
你打开网站的时候就可以看到标有 安全 的字样。比如:
5 自动更新 SSL 证书
配置完这些后,我们的工作尚未完成。
Let's Encrypt 提供的证书只有90天的有效期,我们必须在这些证书过期之前重新获得它们。有什么办法呢?
certbot 给我们提供了一个很方便的命令,那就是
certbot renew # 使用【默认配置目录】的更新命令
certbot renew --config-dir /etc/nginx/conf.d/certs # 使用【自定义配置目录】的更新命令
使用此命令,他将自动检查系统中的证书并自动更新它们。
注意:更新完成后需要重启Nginx:nginx -s reload。
我们可以运行这个命令测试一下
certbot renew --dry-run
Attempting to renew cert from /etc/letsencrypt/renewal/api.diamondfsd.com.conf produced an unexpected error: At least one of the required ports is already taken.. Skipping.
这是因为生成证书的时候使用的是 --standalone 模式。
这个模式在验证域名时,此模式需要启用端口443。此错误意味着要启用的端口已被占用。
这时候必须先关掉nginx,运行以下命令:
nginx -s stop
运行这个命令,没有报错的话,也就是所有的证书都刷新成功。证书是90天才过期,我们只需要在过期之前执行更新操作就可以了。
当然,这种不用我们每次去更新,我们容易忘记的,可以用linux的定时任务来完成。用 crontab做一个定时任务就可以了
新建了一个文件 certbot-auto-renew-cron,写上 cron 计划:
15 2 * */2 * certbot renew --pre-hook "nginx -s stop" --post-hook "nginx -s start" # standalone模式
15 2 * */2 * certbot renew --post-hook "nginx -s reload" # 非standalone模式
命令的意思就是:每隔 两个月的 凌晨 2:15 执行更新操作。
--pre-hook 表示执行更新操作之前要做的事情。
--standalone模式的证书需要停止 nginx 服务,解除端口占用。
--post-hook 表示执行更新操作完成后要做的事情,这里就恢复 nginx 服务的启用
最后我们用 crontab 来启动这个定时任务
crontab certbot-auto-renew-cron
至此,整个网站升级到HTTPS就完成了。
6 删除证书
删除所有证书:
$ sudo certbot delete
删除指定证书:
$ sudo certbot delete --cert-name example.com
删除指定目录下的指定证书:
$ certbot delete --cert-name example.com --config-d