之前因为觉得都是静态内容,所以没必要用HTTPS。主要是嫌申请HTTPS证书比较麻烦。现在可以使用命令行的certbot非常方便地获取Let’s Encrypt的免费证书。
Certbot简介
Certboot是一个ACME(自动化证书管理环境)客户端,这也是Let’s Encrypt官网推荐的签发证书的方式。它适用于对自己domain具有shell访问能力的情况,使用所谓的ACME协议来自动化地签发证书,很大程度上简化了证书签发的步骤。
准备工作
HTTPS的证书基于domain签发,所以事先需要准备如下工作:
- 申请一个domain,例如:example.me.
- 一台公网能够访问的VPS,将example.me解析为它的IP.
一键运行
可以从Github安装certbot,但文档中也给出了直接用Docker启动的方法,还是非常方便的。以下是示例代码:
Copy Codesudo docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -p 80:80 certbot/certbot certonly
其中certonly是获取证书的命令,将80端口映射到本地是为了让ACME server来访问我们的VPS,以验证所有权。
填写信息
如果不加任何参数运行certonly,就会进入以下交互式界面:
Copy CodeSaving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
2: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
选项1是让certbot自己运行HTTP server来通过验证,而选项2则需要我们自己将文件放置在.well-known/acme-challenge/目录下来通过验证。如果不怕自己VPS的web服务中断的话,第1种方式还是比较方便的。
随后需要填写邮件信息和同意服务协议,如下所示:
Copy CodeEnter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): alice@bob.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
接下来可以输入需要签发证书的domain,用逗号或是空格隔开。但不能使用通配符*。Certbot会在本地启动一个HTTP server,然后通知ACME server来访问对应的website,以验证domain的所有权。
Copy CodePlease enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): example.me
Requesting a certificate for example.me
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.me/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.me/privkey.pem
This certificate expires on xxxx-xx-xx.
These files will be updated when the certificate renews.
到这里就签发完毕了,在host的/etc/letsencrypt/live/example.me/目录下就生成证书fullchain.pem和privkey.pem。然后可以将SSL证书配置在自己的web server中。
更新
用这种方式生成的证书有效期是90天,在过期之后需要进行更新(renew)操作。只需要将上述命令certonly改为renew即可,该命令会自动更新/etc/letsencrypt/live/目录下有效期少于30天的证书。
📮评论