申请 https 的可信证书可以提高自己 website 的安全性,之前因为觉得都是静态内容所以没必要用 https,主要就是嫌申请 https 证书比较麻烦. 最近折腾了一下发现,使用命令行的 certbot 可以非常方便的获取 Let’s encrypt 的免费证书.
Certbot 简介 Github 地址:https://github.com/certbot/certbot 本质上来说,certbot 就是一个 ACME client,这也是 Let’s Encrypt 官网推荐的签发证书的方式,适用于对自己的 domain 具有 shell 访问能力的情况,使用所谓的 ACME 协议来自动化的签发证书,很大程度上简化了证书签发的步骤,
准备工作
HTTPS 的证书基于 domain 签发,所以事先需要申请一个 domain,例如:example.me.
一台公网能够访问的 VPS,将 example.me 解析为它的 IP.
一键运行 可以从 github 来安装 certbot,但文档中也给出了直接用 docker 启动的方法,还是非常方便的
1 sudo docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -p 80:80 certbot/certbot certonly
其中 certonly
是获取 cert 的命令,映射 80 的目的是为了一会 ACME server 来访问我们的 VPS 验证所有权.
填写信息 如果不加任何参数运行 certonly
的话就会进入到下面的交互式界面:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Saving debug log to /var/log /letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 : Runs an HTTP server locally which serves the necessary validation files underthe /.well-known/acme-challenge/ request path. Suitable if there is no HTTPserver already running. HTTP challenge only (wildcards not supported). (standalone) 2 : Saves the necessary validation files to a .well-known/acme-challenge/directory within the nominated webroot path. A seperate HTTP server must berunning and serving files from the webroot path. HTTP challenge only (wildcards not supported). (webroot)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1 -2 ] then [enter] (press 'c' to cancel ):
选项 1 是让 certbot 自己运行 HTTP server 来通过验证,而选项 2 则是我们自己需要放置 .well-known/acme-challenge/
目录的内容来通过验证. 如果不怕自己 VPS 的 web 服务中断的话,第 1 种方式还是比较方便的.
随后就是填写邮件信息和同意服务协议:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): alice@bob.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3 -September-21 -2022. pdf. You must agree in order to register with the ACME server . Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a foundingpartner of the Let's Encrypt project and the non-profit organization that develops Certbot? We' d like to send you email about our work encrypting the web,EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered.
接下来就可以输入自己需要签发证书的 domain 了,这里可以用 ,
或者空格隔开多个 domain,但不能使用通配符 *
. 这时 Certbot 会在本地启动一个 http server,然后通知 ACME server 来访问我们 domain 对应的 website,以验证 domain 的所有权.
1 2 3 4 5 6 7 8 9 Please enter the domain name (s) you would like on your certificate (comma and /or space separated) (Enter 'c' to cancel): example.me Requesting a certificate for example.me Successfully received certificate. Certificate is saved at : /etc/letsencrypt/live/example.me /fullchain.pem Key is saved at : /etc/letsencrypt/live/example.me /privkey.pem This certificate expires on xxxx-xx-xx. These files will be updated when the certificate renews.
到这里就签发完毕了,在 host 的 /etc/letsencrypt/live/example.me/
目录下就生成证书 fullchain.pem
和 privkey.pem
. 然后我们就可以在自己的 web server 配置 SSL 证书了.
更新 用这种方式生成的短期证书有效期是 90 天,在过期之后我们还需要对其进行更新(renew)操作,只需要将上面的命令 certonly
改为 renew
即可,该命令会自动更新 /etc/letsencrypt/live/
目录下有效期少于 30 天的证书.