Let’s Encrypt 使用教程,免费的SSL证书,让你的网站拥抱 HTTPS

这篇文章主要讲的就是如何让自己的网站免费从HTTP升级为HTTPS,使用的是 Let’s Encrypt的证书。实际上也就是一个Let’s Encrypt 免费证书获取教程 。

Let’s Encrypt 简介

如果要启用HTTPS,我们就需要从证书授权机构(以下简称CA) 处获取一个证书,Let’s Encrypt 就是一个 CA。我们可以从 Let’s Encrypt 获得网站域名的免费的证书。这篇文章也主要讲的是通过 Let’s Encrypt + Nginx 来让网站升级到HTTPS。

Certbot 简介

Certbot 是Let’s Encrypt官方推荐的获取证书的客户端,可以帮我们获取免费的Let’s Encrypt 证书。Certbot 是支持所有 Unix 内核的操作系统的,个人博客的服务器系统是CentOS 7,这篇教程也是通过在个人博客上启用HTTPS的基础上完成的。

获取免费证书

安装Certbot客户端

pip uninstall requests
pip uninstall urllib3
yum remove python-urllib3
yum remove python-requests
yum install python-urllib3
yum install python-requests
yum install certbot

不停服获取证书:

certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

Output:
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxx.com
http-01 challenge for www.xxx.com
Using the webroot path /usr/share/nginx/html/www.xxx.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxx.com/privkey.pem
   Your cert will expire on 2021-08-31. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

重启nginx:
/usr/sbin/nginx -s reload

这个命令会为 example.com 和 www.example.com 这两个域名生成一个证书,使用 –webroot 模式会在 /var/www/example 中创建 .well-known 文件夹,这个文件夹里面包含了一些验证文件,certbot 会通过访问 example.com/.well-known/acme-challenge 来验证你的域名是否绑定的这个服务器。这个命令在大多数情况下都可以满足需求,

但是有些时候我们的一些服务并没有根目录,例如一些微服务,这时候使用 –webroot 就走不通了。certbot 还有另外一种模式 –standalone , 这种模式不需要指定网站根目录,他会自动启用服务器的443端口,来验证域名的归属。我们有其他服务(例如nginx)占用了443端口,就必须先停止这些服务,在证书生成完毕后,再启用。

certbot certonly --standalone -d example.com -d www.example.com

证书生成完毕后,我们可以在 /etc/letsencrypt/live/ 目录下看到对应域名的文件夹,里面存放了指向证书的一些快捷方式。

这时候我们的第一生成证书已经完成了,接下来就是配置我们的web服务器,启用HTTPS。

Nginx 配置启用 HTTPS

博客系统使用的是Nginx 服务器来转发请求,这里贴一下我的Nginx配置。

server {
    server_name isvee.com www.isvee.com;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/isvee.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/isvee.com/privkey.pem;

    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    # Supported protocols and ciphers for general purpose server with good security and compatability with most clients
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # Supported protocols and ciphers for server when clients > 5years (i.e., Windows Explorer) must be supported
    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
    #ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://127.0.0.1:3999;
        proxy_http_version 1.1;
        proxy_set_header X_FORWARDED_PROTO https;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
    }
}

/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
service iptables save
service iptables restart

主要是监听 443 端口,启用 SSL,并配置 SSL 的证书路径(公钥,私钥的路径)。
通过这些配置 我们就已经成功的完成了 Https 的启用。
现在打开我的博客 https://isvee.com 就可以看到标有 安全 的字样。

自动更新 SSL 证书

Let’s Encrypt 提供的证书只有90天的有效期,我们必须在证书到期之前,重新获取这些证书,我们可以用 crontab 来定时自动更新证书。

转自:https://my.oschina.net/u/2328699/blog/829503

如果出现如下报错:

Traceback (most recent call last):
  File "/usr/bin/pip", line 5, in 
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 72, in 
    import packaging.requirements
  File "/usr/lib/python2.7/site-packages/packaging/requirements.py", line 59, in 
    MARKER_EXPR = originalTextFor(MARKER_EXPR())("marker")
TypeError: __call__() takes exactly 2 arguments (1 given)

解决方法:

1:(推荐)
wget https://pypi.python.org/packages/d2/f9/60bebd372903c3ca2e9216086ac375d4991cce6261b186e6cf908ef5d49d/pyparsing-2.0.3.tar.gz#md5=0fe479be09fc2cf005f753d3acc35939
tar -xvzf pyparsing-2.0.3.tar.gz
cd pyparsing-2.0.3
python setup.py install

2:(参考 https://bugs.centos.org/view.php?id=12722&history=1)
# yum install ftp://mirror.switch.ch/pool/4/mirror/centos/7.3.1611/cloud/x86_64/openstack-kilo/common/pyparsing-2.0.3-1.el7.noarch.rpm
# pip install docutils