let's encrypt


Posted on1 CommentCategories技术文章


The SSL certificate used to load resources from https://blog.54zxy.com will be distrusted in M70. 
Once distrusted, users will be prevented from loading these resources.
 See https://g.co/chrome/symantecpkicerts for more information.


If you see this message in DevTools, you’ll want to replace your certificate as soon as possible. 
If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018

意思是,如果你在dev tools里看到这个信息,您得抓紧了,赶紧替换ssl证书。如果你不换,用户从2018-07-20开始就会看到证书错误的警告!

册那,真是会找事情。小爹我也挺忙的,但这证书还得换不是。早就听朋友提到过Let’s Encrypt, 就去官网看看

一看不要紧,原来更新证书都可以自动化了!这真是大吃一惊,有个花头叫做 Certbot ACME client,传送门

我的vps是 ubuntu 16.04,选择一下,对应要装的命令就出来了。无脑装之


$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx



*****@54zxy:~$ sudo certbot --nginx
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator nginx, Installer nginx
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to
 cancel): bo******@qq.com
 Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

 Please read the Terms of Service at
 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
 agree in order to register with the ACME server at
 (A)gree/(C)ancel: A

 Would you be willing to share your email address with the Electronic Frontier
 Foundation, a founding partner of the Let's Encrypt project and the non-profit
 organization that develops Certbot? We'd like to send you email about EFF and
 our work to encrypt the web, protect its users and defend digital rights.
 (Y)es/(N)o: Y
 Starting new HTTPS connection (1): supporters.eff.org

Which names would you like to activate HTTPS for?
 1: 54zxy.com
 2: blog.54zxy.com
 3: www.54zxy.com
 4: d******.com
 5: www.d******.com
 6: j******.net
 7: www.j****.net
 8: q*******.com
 9: www.q******.com
 Select the appropriate numbers separated by commas and/or spaces, or leave input
 blank to select all options shown (Enter 'c' to cancel): 2
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for blog.54zxy.com
 Waiting for verification...
 Cleaning up challenges
 Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/blog.54zxy.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
 new sites, or if you're confident your site works on HTTPS. You can undo this
 change by editing your web server's configuration.
 Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/blog.54zxy.conf

 Congratulations! You have successfully enabled https://blog.54zxy.com

You should test your configuration at:

 - Congratulations! Your certificate and chain have been saved at:
 Your key file has been saved at:
 Your cert will expire on 2018-07-01. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot again
 with the "certonly" option. To non-interactively renew *all* of
 your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

Let’s Encrypt 证书只有3个月有效期,不过没关系,直接一个命令就renew了。(先dry run下)

$ sudo certbot renew --dry-run

1 thought on “更新SSL:从Symantec到Let’sEncrypt”