Https

最近在购买的云服务器上把个人博客搭建起来了,实际上是hugo生成静态网页,nginx加载静态网页。现在只能通过http访问,缺少个https。 要搭建一个https的网站需要证书。之前在网上找的教程太麻烦,又是生成证书,又是放到指定地方。我想有个一键生成证书的软件或工具。功夫不负有心人,终于让我找到CertBot。

在网上找到的方法, 我下面整理一下。

CertBot

我们的ssl证书是使用的Let’s Encrypt机构颁发的,每次生成的证书有90天的有效期,配置好后可以在过期之前自动续期。 配置证书的软件我使用的是Let’s Encrypt机构推荐的Certbot,使用过几次还是很方便的,也有其它的软件提供。

Certbot可以有两种安装方式,一种是snap。我使用另外一种python安装Certbot. 环境如下

  • Ubuntu20
  • python3
  • CertBot
  • nginx

给网站一键添加证书

安装系统依赖

$ sudo apt update
$ sudo apt install python3 python3-venv libaugeas0

初始化certbot所用的python虚拟环境

$ sudo python3 -m venv /data/certbot/
$ sudo /data/certbot/bin/pip install --upgrade pip

使用pip安装certbot

$ sudo /data/certbot/bin/pip install certbot certbot-nginx
$ sudo ln -s /data/certbot/bin/certbot /usr/bin/certbot

配置certbot,网站变成https访问

配置CertBot
$ sudo certbot --nginx

#输入邮箱
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.

#选择域名的序号
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: blog.rakfree.tk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for blog.rakfree.tk

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/blog.rakfree.tk/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/blog.rakfree.tk/privkey.pem
This certificate expires on 2022-06-01.
These files will be updated when the certificate renews.

Deploying certificate
Successfully deployed certificate for blog.rakfree.tk to /etc/nginx/sites-enabled/mysite
Congratulations! You have successfully enabled HTTPS on https://blog.rakfree.tk

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

定时更新证书,保持证书不过期

Let’s Encrypt机构颁发的,每次生成的证书有90天的有效期, 建议使用linux系统的定时任务crontab进行自动续期

在用户目录root下写一个脚本文件certbot-renew.sh

#!/bin/bash
echo "==================Certbot Renew====================="
echo "==================`date`============================"

# 更新TLS证书
/usr/bin/certbot renew
# 重启Web服务器
nginx -s reload

echo "==================End==============================="

给脚本执行权限

$ chmod +x certbot-renew.sh

linux 定时任务, 编辑crontab文件 , ctrl + x可以退出编辑模式

$ crontab -e

0 0 1 * * /root/certbot-renew.sh

可以使用这个命令检查自动更新程序是否正常配置了

$ sudo certbot renew --dry-run

certbot的一些指令

查看过期时间

$ certbot renew

查看证书情况

$ certbot certificates

手动续期证书(过期前一个月内)

$ certbot renew

忽略证书过期时间,直接重置证书时间

$ certbot renew --force-renewal

参考

nginx+https

linux定时任务

--完--