Let’s Encrypt是为了推动 https 普及而成立的组织,由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织发起,用户可以简单的使用其签发DV级的CA证书用以将自己的网站转换为 https。

值得注意的是Let’s Encrypt每次签发的证书,有效期均为90天,但可以无限次免费续期。

安装

1
$ git clone https://github.com/letsencrypt/letsencrypt

签发

签发过程中先暂时关闭 nginx 等 web server,否则letsencrypt无法使用80端口

-d 域名参数,理论上可以无限追加

1
2
3
4
5
$ cd letsencrypt
$ ./letsencrypt-auto certonly --standalone --email im@println.org \
-d println.org \
-d cdn.println.org \
-d url.println.org

部署

自动部署

1
2
$ cd letsencrypt
$ ./letsencrypt-auto

手动部署

证书存放位置:/etc/letsencrypt/live/

nginx

简单的将这4行添加到你的网站的 server 段内即可

1
2
3
4
ssl_certificate /etc/letsencrypt/live/println.org/fullchain.pem; #
ssl_certificate_key /etc/letsencrypt/live/println.org/privkey.pem; #
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

以 println.org 为例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# /etc/nginx/nginx.conf

server {
# http2 参数可以为网站提供 http2
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name println.org;
index index.html;
root /var/html/;

ssl_certificate /etc/letsencrypt/live/println.org/fullchain.pem; #
ssl_certificate_key /etc/letsencrypt/live/println.org/privkey.pem; #
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

httpd

未经验证

1
2
3
4
5
6
7
8
<VirtualHost *:443>
SSLEngine on
SSLProxyEngine On
SSLProxyVerify none
ServerName println.org
SSLCertificateFile /etc/letsencrypt/live/println.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/println.org/privkey.pem
</VirtualHost>

强制 https

监听80端口,直接301跳转到https站点即可

1
2
3
4
5
server {
listen 80;
server_name println.org;
return 301 https://println.org$request_uri;
}

验证

参考 使用CURL跟踪链接,并打印头信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜ curl -I -L http://println.org
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.1
Date: Tue, 09 Jun 2020 03:21:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://println.org/

HTTP/2 200
server: nginx/1.14.1
date: Tue, 09 Jun 2020 03:21:16 GMT
content-type: text/html
content-length: 11445
last-modified: Mon, 08 Jun 2020 10:02:20 GMT
vary: Accept-Encoding
etag: "5ede0cac-2cb5"
accept-ranges: bytes

第一次请求出现 301,可见 https 和 http2 都配置成功了