默认情况下我们的网站是http访问,为了增加访问安全性,我们需要添加ssl证书,支持采用https方式访问,今天我们来看下怎么创建免费的ssl证书–Let’s Encrypt 使用 Certbot 自动化工具。
创建免费的支持 HTTPS 访问的证书有几种方法,其中最流行和可靠的方式是使用 Let’s Encrypt 提供的免费 SSL/TLS 证书。Let’s Encrypt 是一个由互联网安全研究小组(ISRG)运营的非营利性证书颁发机构(CA),旨在简化并自动化 SSL/TLS 证书的获取和更新过程。
以下是使用 Let’s Encrypt 创建免费 SSL 证书的详细步骤:
Certbot 是 Let’s Encrypt 官方推荐的客户端工具,可以自动获取和安装 SSL 证书,并支持多种 Web 服务器(如 Nginx 和 Apache)。
步骤 :
安装 Certbot:
根据您的操作系统和 Web 服务器类型,选择合适的安装命令。以下是一些常见环境下的安装示例:
——————————-nginx
CentOS/RHEL (Nginx):
sudo yum install epel-release
sudo yum install certbot python2-certbot-nginx
Ubuntu/Debian (Nginx):
sudo apt update
sudo apt install certbot python3-certbot-nginx
———————————-apache
Ubuntu/Debian (Apache):
sudo apt update
sudo apt install certbot python3-certbot-apache
CentOS/RHEL (Apache):
sudo yum install epel-release
sudo yum install certbot python2-certbot-apache
获取并安装证书:
使用 Certbot 获取证书并自动配置 Web 服务器。以下是针对 Nginx 和 Apache 的命令示例:
Nginx:sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com //当用户输入这两个的时候,自动加上https
Apache:sudo certbot --apache -d yourdomain.com -d www.yourdomain.com
Certbot 会提示您输入电子邮件地址,并询问是否同意服务条款。它还会尝试自动配置您的 Web 服务器以使用新证书。
验证配置:
确认 Web 服务器配置已正确更新,并且网站可以通过 HTTPS 访问。
您可以通过浏览器访问 https://yourdomain.com 来测试。
注意:Certbot 会自动更新nginx的配置文件,请先备份原来的配置文件
设置自动续订:
Let’s Encrypt 证书的有效期为 90 天,但 Certbot 可以通过 cron 或 systemd 定时任务自动续订证书。
对于大多数 Linux 发行版,默认情况下已经设置了自动续订。您可以手动测试续订过程:
sudo certbot renew –dry-run
以下是我的电脑执行sudo certbot --nginx -d click234.com -d www.click234. com输出情况
sudo certbot –nginx -d click234.com -d www.click234. com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter ‘c’ to cancel): test@126.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
(Y)es/(N)o: y
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let’s Encrypt project and the non-profit organization that
develops Certbot? We’d like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: y
Account registered.
Requesting a certificate for click234.com and www.click234.com
Performing the following challenges:
http-01 challenge for click234.com
http-01 challenge for www.click234.com
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/www.click234.com.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/www.click234.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/www.click234.com. conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/www.click234.com. conf
Congratulations! You have successfully enabled https://click234.com and
https://www.click234.com
Subscribe to the EFF mailing list (email: hxx052@126.com).
Starting new HTTPS connection (1): supporters.eff.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/click234.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/click234.com/privkey.pem
Your certificate will expire on 2025-03-11. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the “certonly” option. To non-interactively
renew all of your certificates, run “certbot renew” - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le