let's encrypt

更新SSL:从Symantec到Let’sEncrypt

Posted onCategories技术文章

打开浏览器的控制台,突然发现有这样一个警告:

The SSL certificate used to load resources from https://blog.54zxy.com will be distrusted in M70. 
Once distrusted, users will be prevented from loading these resources.
 See https://g.co/chrome/symantecpkicerts for more information.

不是很懂,好像Chrome在玩什么花头,说我的Symantec发出SSL要怎么怎么样了。点链接进去一看,一大篇文章,就下面几句有用:

If you see this message in DevTools, you’ll want to replace your certificate as soon as possible. 
If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018

意思是,如果你在dev tools里看到这个信息,您得抓紧了,赶紧替换ssl证书。如果你不换,用户从2018-07-20开始就会看到证书错误的警告!

册那,真是会找事情。小爹我也挺忙的,但这证书还得换不是。早就听朋友提到过Let’s Encrypt, 就去官网看看

一看不要紧,原来更新证书都可以自动化了!这真是大吃一惊,有个花头叫做 Certbot ACME client,传送门

我的vps是 ubuntu 16.04,选择一下,对应要装的命令就出来了。无脑装之

certbot

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

过程不表,备份自己的vhost文件,以防万一

最后一步是个问答题,贴一下我的命令反馈

*****@54zxy:~$ sudo certbot --nginx
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator nginx, Installer nginx
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to
 cancel): bo******@qq.com
 Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
 Please read the Terms of Service at
 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
 agree in order to register with the ACME server at
 https://acme-v01.api.letsencrypt.org/directory
 -------------------------------------------------------------------------------
 (A)gree/(C)ancel: A

-------------------------------------------------------------------------------
 Would you be willing to share your email address with the Electronic Frontier
 Foundation, a founding partner of the Let's Encrypt project and the non-profit
 organization that develops Certbot? We'd like to send you email about EFF and
 our work to encrypt the web, protect its users and defend digital rights.
 -------------------------------------------------------------------------------
 (Y)es/(N)o: Y
 Starting new HTTPS connection (1): supporters.eff.org

Which names would you like to activate HTTPS for?
 -------------------------------------------------------------------------------
 1: 54zxy.com
 2: blog.54zxy.com
 3: www.54zxy.com
 4: d******.com
 5: www.d******.com
 6: j******.net
 7: www.j****.net
 8: q*******.com
 9: www.q******.com
 -------------------------------------------------------------------------------
 Select the appropriate numbers separated by commas and/or spaces, or leave input
 blank to select all options shown (Enter 'c' to cancel): 2
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for blog.54zxy.com
 Waiting for verification...
 Cleaning up challenges
 Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/blog.54zxy.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 -------------------------------------------------------------------------------
 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
 new sites, or if you're confident your site works on HTTPS. You can undo this
 change by editing your web server's configuration.
 -------------------------------------------------------------------------------
 Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/blog.54zxy.conf

-------------------------------------------------------------------------------
 Congratulations! You have successfully enabled https://blog.54zxy.com

You should test your configuration at:
 https://www.ssllabs.com/ssltest/analyze.html?d=blog.54zxy.com
 -------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/blog.54zxy.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/blog.54zxy.com/privkey.pem
 Your cert will expire on 2018-07-01. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot again
 with the "certonly" option. To non-interactively renew *all* of
 your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

Let’s Encrypt 证书只有3个月有效期,不过没关系,直接一个命令就renew了。(先dry run下)

$ sudo certbot renew --dry-run

发表评论

电子邮件地址不会被公开。 必填项已用*标注