有很多https的证书提供商,不过价格都不低,作为一个个人网站,或者节约型的公司,可以考虑使用Let's Encrypt certificates,
每次认证3个月的有效期,需要手动的重新认证。
Let's Encrypt配置起来,相对比较麻烦,不过certbot简化了这些配置
我用的是nginx,对应配置文档:
https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
下面的这个步骤是可选的:
$ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
安装certbot先:
$ sudo yum install python2-certbot-nginx
运行:
$ sudo certbot --nginx
按照命令行提示操作,它会提示你给那个域名进行https配置,可以选择全部,我只选择了:
www.xqipu.com
certbot帮助我们修改了配置文件,一切正常
下面是自动生成的配置文件内容,这些内容自动追加到了nginx的conf文件里面了:
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.xqipu.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.xqipu.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
重启nginx,https配置成功。
此时访问 https://www.xqipu.com (亚艾元象棋谱) 可以看到证书信息:
域名:CN = www.xqipu.com
有效期从 2018年7月5日 到 2018年10月3日
颁发者:
CN = Let's Encrypt Authority X3
O = Let's Encrypt
C = US
等证书快要到期的时候,Certbot 会给一个邮箱的提醒,提醒要到期了。
Your certificate (or certificates) for the names listed below will expire in 10 days (on 03 Oct 18 03:05 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
www.xqipu.com
更新证书很简单,登录服务器,命令行下面,执行命令:
certbot renew
证书的有效期,从更新时间开始又加了三个月。
我希望这个自动更新能够自动化,向crontab里面加入以下命令:
0 0 1 1,3,5,7,9,11 * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
遗憾的是后者没有起作用,只得自己手动先更新以下了。后续再研究。
