网站使用Let's Encrypt免费证书升级至HTTPS小记

闲着没事儿,决定把小站使用免费的ssl证书提供商提供的ssl证书从http迁移至https。 搜了一下网上的介绍,发现一个由Mozilla、Cisco、Akamai等知名公司/组织发起Let's Encrypt免费SSL项目使用的挺多的,遂决定就用这个证书了。迁移过程很简单,大体操作步骤如下:

证书生成

  • 下截证书申请工具 此步需要git工具支持

    [root@xxxxx ~]# git clone https://github.com/letsencrypt/letsencrypt
    Initialized empty Git repository in /root/letsencrypt/.git/
    remote: Counting objects: 48149, done.
    remote: Compressing objects: 100% (55/55), done.
    remote: Total 48149 (delta 32), reused 35 (delta 18), pack-reused 48076
    Receiving objects: 100% (48149/48149), 14.78 MiB | 3.23 MiB/s, done.
    Resolving deltas: 100% (34433/34433), done.
    
  • 生成证书信息

[root@xxxxx ~]# cd letsencrypt
[root@xxxxx letsencrypt]# ./letsencrypt-auto certonly --standalone --email XXXXX@xxxxx.net -d coolskill.net -d www.coolskill.net
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum

Loaded plugins: security
Setting up Install Process

........
网站基本信息确认交互
.......
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/coolskill.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/coolskill.net/privkey.pem
   Your cert will expire on 2017-11-25. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

nginx配置修改

  • 添加SSL证书配置 在server节点下如下节点并reload:
        listen 443 ssl;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/coolskill.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/coolskill.net/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

如果需要强制用户使用https服务,请额外配置80强跳443的 rewrite指令即可。

经过上述操作,小站就可以使用https服务啦。迁移至https后需要关注网页是否引入了http资源,若有引入,需要同步修改,否则浏览器可能报网页存在不安全的隐患。