接入HTTPS，给网站加一把绿色小锁

什么是HTTPS

Let's Encrypt

安装certbot

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

如果你使用的python版本是2.6的，那么你需要升级到2.7，至于升级方法请自行谷歌

配置

1. 创建配置文件

    # the domain we want to get the cert for;
    # technically it's possible to have multiple of this lines, but it only worked
    # with one domain for me, another one only got one cert, so I would recommend
    # separate config files per domain.
    domains =  
        
    # increase key size
    rsa-key-size = 2048 # Or 4096
        
    # the current closed beta (as of 2015-Nov-07) is using this server
    server = https://acme-v01.api.letsencrypt.org/directory
        
    # this address will receive renewal reminders
    email = your-email
        
    # turn off the ncurses UI, we want this to be run as a cronjob
    text = True
        
    # authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
    # and then letting LE fetch it
    authenticator = webroot
    webroot-path = 

2. 配置nginx,让Let's Encrypt可以访问到临时文件

加上这个location到你的nginx配置中

  server {
      listen 80 default_server;
      server_name 
  
      location /.well-known/acme-challenge {
          root 
      }
      ...
  }

验证配置，重启nginx

  $ sudo nginx -t && sudo nginx -s reload

3. 请求证书

    $ ./certbot-auto --config  certonly
  Updating letsencrypt and virtual environment dependencies......
  Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config  certonly
  
  IMPORTANT NOTES:
   - Congratulations! Your certificate and chain have been saved at
      Your cert
     will expire on date. To obtain a new version of the
     certificate in the future, simply run Let's Encrypt again.
     ...

4. 配置nginx 443端口指向证书

  server {
      listen 443 ssl default_server;
      server_name 
  
      ssl_certificate 
      ssl_certificate_key 
  
      ...
  }

  server {
      listen 80;
      server_name 
      return 301 https://$server_name$request_uri;
  }

重启Nginx

$ sudo nginx -t && sudo nginx -s reload

自动刷新证书

Let's encrypt 的证书有效期是90天，所以我们应该在过期之前刷新证书。

• 准备如下脚本，保存到renew_letsencrypt.sh

  #!/bin/sh
  
  cd /opt/letsencrypt/
  ./certbot certonly --config /etc/letsencrypt/configs/my-domain.conf
  
  if [ $? -ne 0 ]
   then
          ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
          echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
                   $ERRORLOG
   else
          nginx -s reload
  fi
  
  exit 0

• 如果/var/log/letsencrypt/不存在就先创建
• 允许crontab -e设置每两个月刷新一次

0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh

总结

参考