打开浏览器的控制台,突然发现有这样一个警告:
The SSL certificate used to load resources from https://blog.54zxy.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
不是很懂,好像Chrome在玩什么花头,说我的Symantec发出SSL要怎么怎么样了。点链接进去一看,一大篇文章,就下面几句有用:
If you see this message in DevTools, you’ll want to replace your certificate as soon as possible. If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018
意思是,如果你在dev tools里看到这个信息,您得抓紧了,赶紧替换ssl证书。如果你不换,用户从2018-07-20开始就会看到证书错误的警告!
册那,真是会找事情。小爹我也挺忙的,但这证书还得换不是。早就听朋友提到过Let’s Encrypt, 就去官网看看。
一看不要紧,原来更新证书都可以自动化了!这真是大吃一惊,有个花头叫做 Certbot ACME client,传送门
我的vps是 ubuntu 16.04,选择一下,对应要装的命令就出来了。无脑装之
$ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-nginx
过程不表,备份自己的vhost文件,以防万一。
最后一步是个问答题,贴一下我的命令反馈
*****@54zxy:~$ sudo certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): bo******@qq.com Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Starting new HTTPS connection (1): supporters.eff.org Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: 54zxy.com 2: blog.54zxy.com 3: www.54zxy.com 4: d******.com 5: www.d******.com 6: j******.net 7: www.j****.net 8: q*******.com 9: www.q******.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 2 Obtaining a new certificate Performing the following challenges: http-01 challenge for blog.54zxy.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/blog.54zxy.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/blog.54zxy.conf ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://blog.54zxy.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=blog.54zxy.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/blog.54zxy.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/blog.54zxy.com/privkey.pem Your cert will expire on 2018-07-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let’s Encrypt 证书只有3个月有效期,不过没关系,直接一个命令就renew了。(先dry run下)
$ sudo certbot renew --dry-run
1 thought on “更新SSL:从Symantec到Let’sEncrypt”
let’s encrypt已经支持通配符证书了 你咋木有升级下~