什么是HTTPS

关于HTTPS的概念，在这篇文章已经有非常全面的描述，推荐细读。

Let's Encrypt

最近突然想把自己的博客弄成HTTPS，也不是为了加强安全，只是喜欢折腾，而且感觉加个绿色小锁酷酷的。

HTTPS免费证书颁发机构有startSSL和letsencrypt，我使用的是。

安装certbot

Letsencrypt官方建议使用作为客户端。

我使用的是通过脚本安装certbot-auto：

wget https://dl.eff.org/certbot-autochmod a+x certbot-auto

如果你使用的python版本是2.6的，那么你需要升级到2.7，至于升级方法请自行谷歌

配置

最开始我尝试用推荐的方法进行配置，结果老是注册失败。

后来找到了Nginx介绍的（也就是下面讲到的方法）就OK了。

1. 创建配置文件

/etc/letsencrypt/configs/wuyanxin.com.conf

# the domain we want to get the cert for;    # technically it's possible to have multiple of this lines, but it only worked    # with one domain for me, another one only got one cert, so I would recommend    # separate config files per domain.    domains = wuyanxin.com             # increase key size    rsa-key-size = 2048 # Or 4096            # the current closed beta (as of 2015-Nov-07) is using this server    server = https://acme-v01.api.letsencrypt.org/directory            # this address will receive renewal reminders    email = your-email            # turn off the ncurses UI, we want this to be run as a cronjob    text = True            # authenticate by placing a file in the webroot (under .well-known/acme-challenge/)    # and then letting LE fetch it    authenticator = webroot    webroot-path = /data/www/wuyanxin.com/

2. 配置nginx,让Let's Encrypt可以访问到临时文件

加上这个location到你的nginx配置中

server {      listen 80 default_server;      server_name wuyanxin.com;        location /.well-known/acme-challenge {          root /data/www/wuyanxin.com;      }      ...  }

验证配置，重启nginx

$ sudo nginx -t && sudo nginx -s reload

3. 请求证书

$ ./certbot-auto --config /etc/letsencrypt/configs/wuyanxin.com.conf certonly  Updating letsencrypt and virtual environment dependencies......  Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/wuyanxin.com.conf certonly    IMPORTANT NOTES:   - Congratulations! Your certificate and chain have been saved at     /etc/letsencrypt/live/wuyanxin.com/fullchain.pem. Your cert     will expire on date. To obtain a new version of the     certificate in the future, simply run Let's Encrypt again.     ...

4. 配置nginx 443端口指向证书

server {      listen 443 ssl default_server;      server_name wuyanxin.com;        ssl_certificate /etc/letsencrypt/live/wuyanxin.com/fullchain.pem;      ssl_certificate_key /etc/letsencrypt/live/wuyanxin.com/privkey.pem;        ...  }

配置http跳转到https

server {      listen 80;      server_name wuyanxin.com;      return 301 https://$server_name$request_uri;  }

重启Nginx

$ sudo nginx -t && sudo nginx -s reload

自动刷新证书

Let's encrypt 的证书有效期是90天，所以我们应该在过期之前刷新证书。

• 准备如下脚本，保存到renew_letsencrypt.sh

#!/bin/sh    cd /opt/letsencrypt/  ./certbot certonly --config /etc/letsencrypt/configs/my-domain.conf    if [ $? -ne 0 ]   then          ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`          echo -e "The Let's Encrypt cert has not been renewed! \n \n" \                   $ERRORLOG   else          nginx -s reload  fi    exit 0

• 如果/var/log/letsencrypt/不存在就先创建

• 允许crontab -e设置每两个月刷新一次

0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh

总结

给自己的网站加上一把绿色小锁就是这么简单，其实网上相关文章已经有很多了，这篇只是我自己为网站上https时候的记录，有问题欢迎反馈。

另外，很多国内网站可能会接入“多说”的评论，因为多说评论使用的第三方头像为http的，这会导致你页面上的绿色小锁变成灰色。

不过已经有人提出了解决方案，参考这两篇文章：

参考