導(dǎo)讀:你將擁有一個(gè)不過期的SSL DV 免費(fèi)證書��,請(qǐng)看本文�。
背景
之前網(wǎng)站使用的是免費(fèi)證書,但是免費(fèi)證書(默認(rèn)證書)的簽發(fā)有效期由12個(gè)月縮短至3個(gè)月�,很快就到期,這是要讓大多數(shù)企業(yè)購買付費(fèi)證書的節(jié)奏啊�����,所以我更換了證書的簽發(fā)機(jī)構(gòu)���。本文主要講的就是如何使用 Let’s Encrypt的證書讓自己的網(wǎng)站免費(fèi)從HTTP升級(jí)為HTTPS�。
目前比較流行的免費(fèi) SSL 證書有 Let’s encrypt 和 Cloudflare。這次我們先嘗試一下 Let’s encrypt�。
Let's Encrypt 是一個(gè)由非營(yíng)利性組織 互聯(lián)網(wǎng)安全研究小組(ISRG)提供的免費(fèi)、自動(dòng)化和開放的證書頒發(fā)機(jī)構(gòu)(CA)�����。
Let's Encrypt 簡(jiǎn)介
簡(jiǎn)單的說����,借助 Let's Encrypt 頒發(fā)的證書可以為我們的網(wǎng)站免費(fèi)啟用 HTTPS(SSL/TLS) 。Let’s encrypt 證書是 DV(Domain Validation)證書���,只驗(yàn)證域名所有權(quán)��,不驗(yàn)證公司信息��。
其證書的簽發(fā)/續(xù)簽都是腳本自動(dòng)化的��,官方提供了幾種證書的申請(qǐng)方式方法���,網(wǎng)址為 https://letsencrypt.org/zh-cn/docs/client-options/。
安裝Certbot客戶端
[root@aliyun-www ~]# yum install certbot -y
等待它下載安裝完畢���,檢測(cè)是否成功�。使用如下命令:
[root@aliyun-www ~]# certbot --versioncertbot 2.11.0
現(xiàn)在已經(jīng)安裝成功,接著就可以申請(qǐng)SSL證書了����。
比如我們要為static.example.com申請(qǐng)證書(你可以更換為真實(shí)的域名)���,使用如下命令:
[root@aliyun-www ~]# certbot certonly --nginx -d static.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
執(zhí)行時(shí)�,如果出現(xiàn)上面的提示���,需要 nginx plugin 插件��,可以運(yùn)行如下命令�,安裝相應(yīng)的插件解決:
[root@aliyun-www ~]# yum install python3-certbot-nginx
接著���,請(qǐng)讓我們?cè)俅芜\(yùn)行申請(qǐng)SSL的指令:
[root@aliyun-www ~]# certbot certonly --nginx -d static.example.com
接下來�,是一個(gè)交互的過程��。
是否同意 Let's Encrypt 協(xié)議要求=>需要同意��,是否分享你的郵箱�����,詢問是否對(duì)域名和機(jī)器(IP)進(jìn)行綁定=>需要同意。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): youname@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for static.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/static.example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/static.example.com/privkey.pem
This certificate expires on 2025-06-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
證書生成完畢后����,我們可以在 /etc/letsencrypt/live/ 目錄下看到對(duì)應(yīng)域名的文件夾,里面存放了指向證書的一些快捷方式��。
證書續(xù)簽:自動(dòng)更新 SSL 證書
Let’s Encrypt 提供的證書只有90天的有效期,證書在到期前30天才會(huì)續(xù)簽成功,我們必須在證書到期之前�,重新獲取這些證書,certbot 給我們提供了一個(gè)很方便的命令�,那就是 certbot renew。通過這個(gè)命令����,他會(huì)自動(dòng)檢查系統(tǒng)內(nèi)的證書,并且自動(dòng)更新這些證書����。可以運(yùn)行這個(gè)命令測(cè)試一下:
[root@aliyun-www ~]# certbot renew --dry-run
Certbot 會(huì)檢查證書是否過期����,如果過期會(huì)自動(dòng)續(xù)期?��?梢詫?certbot renew 添加到Cron定時(shí)任務(wù)�����,定期檢查證書是否過期���。
Nginx 開啟 https
證書生成完成后可以到 /etc/letsencrypt/live/ 目錄下查看對(duì)應(yīng)域名的證書文件。編輯 nginx 配置文件監(jiān)聽 443 端口����,啟用 SSL,并配置 SSL 的公鑰����、私鑰證書路徑:
server {
listen 443 ssl;
server_name example.cn;
root /home/www/example.com;
index index.html index.htm index.php;
ssl_certificate /etc/letsencrypt/live/example/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
...
}
添加 HTTP 自動(dòng)跳轉(zhuǎn)到 HTTPS:
server {
listen 80;
server_name example.com;
location / {
rewrite ^(.*)$ https://$host$1 permanent;
}
}
配置好Nginx后,重新啟動(dòng):
這樣,你就可以一直有不過期的證書了。
結(jié)語
通過執(zhí)行這些步驟�����,我們已在 CentOS 9 服務(wù)器上成功安裝和配置 Let's Encrypt SSL��,從而為網(wǎng)站訪問者提供安全通信�。請(qǐng)定期檢查你的配置和更新��,以維護(hù)安全可靠的網(wǎng)絡(luò)狀態(tài)��。
閱讀原文:原文鏈接
該文章在 2025/8/15 11:39:57 編輯過
400 186 1886
