You are here

使用certbot实现HTTPS

有很多https的证书提供商,不过价格都不低,作为一个个人网站,或者节约型的公司,可以考虑使用Let's Encrypt certificates,

 每次认证3个月的有效期,需要手动的重新认证。

 

 Let's Encrypt配置起来,相对比较麻烦,不过certbot简化了这些配置

 

 我用的是nginx,对应配置文档:

 https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

 

 下面的这个步骤是可选的:

$ yum -y install yum-utils

$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional


安装certbot先:

$ sudo yum install python2-certbot-nginx


运行:

$ sudo certbot --nginx


按照命令行提示操作,它会提示你给那个域名进行https配置,可以选择全部,我只选择了:

www.xqipu.com


certbot帮助我们修改了配置文件,一切正常




下面是自动生成的配置文件内容,这些内容自动追加到了nginx的conf文件里面了:

    listen 443 ssl; # managed by Certbot

    ssl_certificate /etc/letsencrypt/live/www.xqipu.com/fullchain.pem; # managed by Certbot

    ssl_certificate_key /etc/letsencrypt/live/www.xqipu.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


重启nginx,https配置成功。


此时访问 https://www.xqipu.com  (亚艾元象棋谱) 可以看到证书信息:

域名:CN = www.xqipu.com

‎有效期从 2018‎年‎7‎月5‎日 到 2018‎年‎10‎月3日

颁发者:

CN = Let's Encrypt Authority X3

O = Let's Encrypt

C = US


等证书快要到期的时候,Certbot 会给一个邮箱的提醒,提醒要到期了。


Your certificate (or certificates) for the names listed below will expire in 10 days (on 03 Oct 18 03:05 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.


We recommend renewing certificates automatically when they have a third of their

total lifetime left. For Let's Encrypt's current 90-day certificates, that means

renewing 30 days before expiration. See

https://letsencrypt.org/docs/integration-guide/ for details.


www.xqipu.com



更新证书很简单,登录服务器,命令行下面,执行命令:

certbot renew


证书的有效期,从更新时间开始又加了三个月。


我希望这个自动更新能够自动化,向crontab里面加入以下命令:

0 0 1 1,3,5,7,9,11 * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew


遗憾的是后者没有起作用,只得自己手动先更新以下了。后续再研究。


论坛:

Drupal版本: