使用Certbot为网站配置全站HTTPS

作为博客的拥有者,我当然希望我的网站能被更快地收录、拥有更高的排名,因此HTTPS自然是建站的必选项。

引语

为什么要使用HTTPS

一句话概括就是HTTPS更安全,并且一个安全的网站必须是经过HTTPS加密的。目前主流的浏览器会将没有配置 SSL 加密的网站标记为不安全,搜索引擎也会给予 HTTPS的网站更高的排名和优先收录权。

什么是Let’s Encrypt

Let’s Encrypt是一个数字证书认证机构,旨在以自动化流程消除手动创建和安装证书的复杂流程,并推广使服务器的加密连接无所不在,为安全网站提供免费的SSL/TLS证书。 SSL 是“ Secure Sockets Layer ” 的缩写,TLS 是 “Transport Layer Security” 的缩写, SSL 和 TLS 是HTTP安全传输协议的不同阶段,性质上没有区别。

什么是Certbot

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.

来自官方说明文档的定义和说明

简单地说,Certbot是一个可为服务器提取和部署SSL / TLS证书的客户端,通常情况下,我们使用Certbot签出的是Let’s Encrypt的证书。

Certbot可以提供免费的HTTPS证书,同时操作起来简单便捷,是个人网站配置HTTPS最方便实惠的手段,当然我们也可以让VPS服务商(如果他们提供这项服务的话)向我们提供他们或他们的供应商提供的HTTPS证书,不过这类证书大多只能绑定在他们提供的域名上。

安装

访问Certbot官网,并选择你的操作系统和Web应用软件。

我的环境运行在Ubuntu 19.04上的Nginx,由于19.04和Ubuntu的最新LTS:18.04相差不大,所以经过选择进入了该教程页面

certbot不包含在默认的apt源中,因此 首先添加certbot的apt源。

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

接着安装certbot应用。

sudo apt-get install certbot python-certbot-nginx

安装完毕后,使用简易模式运行certbot,该模式可以省略大部分的操作,只需选择即可。

sudo certbot --nginx

需要注意的是,必须将域名解析到你正在使用的服务器上,否则你会看到如下校验失败的信息。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
 
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.coderzhang.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for coderzhang.cn
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. coderzhang.cn (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: unknownHost :: No valid IP addresses found for coderzhang.cn
 
IMPORTANT NOTES:
 - The following errors were reported by the server:
 
   Domain: coderzhang.cn
   Type:   connection
   Detail: unknownHost :: No valid IP addresses found for
   coderzhang.cn
 
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

如果你正确的配置了DNS解析,那就会看到下一步,询问你是否需要全站强制HTTPS。正常情况下我们都会选择强制跳转(也就是选择2),然后现在通过HTTP访问我们网站的80端口请求就会自动跳转到443的HTTPS了。

Deploying Certificate to VirtualHost
 
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.coderzhang.cn

通过检查Nginx配置信息,验证了这一点。

server {
    if ($host = www.coderzhang.cn) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    server_name www.coderzhang.cn;
    listen 80;
    return 404; # managed by Certbot
}
分享-Sharing

关于 “使用Certbot为网站配置全站HTTPS” 的 1 个意见

发表评论

电子邮件地址不会被公开。