https

发表于   |   分类于   |     |   本文总阅读量

Let’s Encrypt 简介

如果要启用 HTTPS,我们就需要从证书授权机构(以下简称 CA) 处获取一个证书,Let’s Encrypt 就是一个 CA。我们可以从 Let’s Encrypt 获得网站域名的免费的证书。这篇文章也主要讲的是通过 Let’s Encrypt + Nginx 来让网站升级到 HTTPS。

配置防火墙

1
2
3
4
# 打开端口443
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --complete-reload
firewall-cmd --list-all

安装 certbot 客户端

在这里获取源

1
2
3
4
# CentOS 7 更新源
wget ftp://mirror.switch.ch/pool/4/mirror/centos/7.3.1611/cloud/x86_64/openstack-mitaka/common/pyOpenSSL-0.15.1-1.el7.noarch.rpm

sudo rpm -Uvh pyOpenSSL-0.15.1-1.el7.noarch.rpm
1
2
sudo yum install certbot
certbot --version

无法分配内存错误

1
2
3
4
# 如果你的主机没有足够的内存,你可能会看到这样的错误
certbot-0.14.1-3.el7.noarch: [Errno 5] [Errno 12] Cannot allocate memory
python-ply-3.4-10.el7.noarch: [Errno 5] [Errno 12] Cannot allocate memory
...

要解决此问题,您需要创建交换文件。交换文件的大小取决于你的内存

1
2
3
M = 以 GB 为单位的 RAM 量
S = 交换量(GB)
如果 M <2,则 S = M * 2 Else S = M + 2
1
2
3
4
fallocate -l 2048M /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

生成 HTTPS 证书

1
certbot certonly --standalone -d example.com -d www.example.com
1
2
3
-d 参数指定域名,是期望开启 https 的域名
--standalone 表示申请证书时将启动 certbot 内置的 webserver,因此需要先把网站的 Nginx 停掉
在申请证书时 letsencrypt 会做认证,如果多次认证失败会启动 Rate-limiting,因此在初期调试生成命令的时候,可以在加上 --test-cert 这个参数,表示先在 letsencrypt 的 staging 环境进行调试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# 会让你输入邮箱
certbot certonly --standalone -d adele.top -d www.adele.top
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

# 输入邮箱后出现
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: (A)gree/(C)ancel:

# 输入 A 后出现如下提示
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:

# 输入 Y

# 如果一切都成功,您可能会看到一条输出消息,如下所示
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-09-24. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
1
2
3
最后,您的 TLS / SSL 证书将以折中的方式生成
cd /etc/letsencrypt/live/example.com
certbot.log  cert.pem  chain.pem  fullchain.pem  privkey.pem  README

证书文件

1
2
3
4
5
6
cert.pem - 您的域的证书,由Apache使用
chain.pem - 我们加密Apache使用的连锁证书
fullchain.pem - cert.pem和chain.pem组合,由nginx使用
privkey.pem - 您的证书的私钥

nginx 只需要 fullchain.pem 和 privkey.pem

在 Nginx 上配置 TLS / SSL

Mozilla SSL Configuration Generator 这是 Mozilla 搞得一个 HTTPS 配置文件自动生成器,支持 Apache,Nginx 等多种服务器。按照这个配置文件,选择 Intermediate 的兼容性。这里生成的配置文件是业界最佳实践和结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
server {
    listen 80;
    server_name www.example.com example.com;
    rewrite ^ https://$server_name$request_uri permanent;  
}
  
server {
    listen 443 ssl;
    server_name www.example.com example.com;
    root /workspace/webapps/obneer/;
    index index.php;
    charset utf-8;
      
    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    
    # 让nginx代理静态文件(如js,css,image等),这样配置会使您的网站更快  
    location ~* .*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css|apk|ttf|woff|woff2|svg|flv)$ {
        add_header Access-Control-Allow-Origin *;
    }
    
    # 当有人访问以 .pem 结尾的路径时,他们将被迫重定向到您的主页
    location ~* \.pem$ {
        rewrite ^ https://$server_name;
    }
      
    location ~* ^\/(wp-activate|wp-config|wp-config-sample|wp-cron|wp-mail|wp-signup)\.php$ {
        rewrite ^ https://$server_name;
    }
      
    location ~* ^\/wp-admin\/(install|install-helper|setup-config)\.php$ {
        rewrite ^ https://$server_name;
    }
      
    location / {
        fastcgi_pass  127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include       fastcgi_params;
        try_files     $uri $uri/ /index.php?$args;
    }
}
1
2
重启nginx
systemctl restart nginx

证书更新

前面生成的证书有效期为 3 个月,当快要到期时需要使用 certbot renew 命令更新证书。 在更新证书时需要先停止 nginx,然后输入 certbot renew –dry-run 模拟更新,如果模拟更新没有问题使用 certbot renew 更新证书后,再启动 nginx 进行测试。

Linux 服务器上使用 CronTab 定时执行

1
crontab -e
1
15 2 * */2 * certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl restart nginx"

–pre-hook 这个参数表示执行更新操作之前要做的事情,因为我有 –standalone 模式的证书,所以需要 停止 nginx 服务,解除端口占用。
–post-hook 这个参数表示执行更新操作完成后要做的事情,这里就恢复 nginx 服务的启用

用专业在线工具测试你的服务器 SSL 安全性

Qualys SSL Labs 提供了全面的 SSL 安全性测试,填写你的网站域名,给自己的 HTTPS 配置打个分。

如果对您有用,请博主喝杯咖啡!

热评文章