给博客启用了 HTTPS

更新日期: 2023-01-29 阅读次数: 9150 字数: 1149 分类: 自建博客

为何要启用 HTTPS

  • 练练手,之前没有手动配置过 HTTPS 证书
  • 防网站劫持
  • 做小程序的后台 API 接口
  • 提高搜索排名

到哪里申请 HTTPS 证书

https://letsencrypt.org

要在网站上启用 HTTPS,你需要一个 certificate 证书文件,这个证书是从 Certificate Authority (CA) 获取,即,数字证书认证机构。Let’s Encrypt 就是一个 CA。

如何安装 HTTPS 证书

使用 Certbot ACME client,他可以自动化证书的发布及安装,并且不需要对网站做停机。

$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@xxx.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: www.sunzhongwei.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.sunzhongwei.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/xxx for set(['www.sunzhongwei.com'])

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/xxx

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://www.sunzhongwei.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.sunzhongwei.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.sunzhongwei.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.sunzhongwei.com/privkey.pem
   Your cert will expire on 2018-04-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

再次打开 www.sunzhongwei.com, 会发现已经自动重定向到了 https 的地址。

说明 certbot 自动更改了 Nginx 配置,并做了重启。

Ubuntu 20.04 需要注意: The requested nginx plugin does not appear to be installed

certbot 是如何实现的

查看 Nginx 的配置文件,会发现对应的域名 server 配置下被自动添加了这么几行

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.sunzhongwei.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.sunzhongwei.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

not fully secure

生效之后,发现我的网站在 chrome 浏览器下并没有显示可爱的小锁,而是显示了一个感叹号。

从请求看,我的 CDN 域名没有使用 HTTPS。

是时候更新我的七牛 CDN 链接了。

配置七牛 CDN 的 HTTPS 证书

从七牛申请证书的用户体验非常恶心,一个已使用域名居然要添加 txt DNS 记录,我都做了 CNAME 记录还怎么添加 TXT 记录,日!

于是,我从阿里云申请了一个免费证书,审核速度非常快,第一次只用了不到半分钟,填写的个人资料也比七牛少得多。

申请之后,下载证书文件,将 pem, key 文件的内容依次填写到七牛的证书字段里。

大概需要等个10来分钟,就能生效了。

修改图片链接

虽然启用了七牛的强制 HTTPS 功能,即开启后 HTTP 请求会强制跳转到 HTTPS 进行访问。

但是对应浏览器来说这就是个 301 请求,仍然会被判断为不安全的图片链接。

所以,手动修改了一波网站的图片地址。

  • 图片 http 全部替换 https
  • gravatar 使用 https 地址

之前写的 markdown 中的图片我就懒得更换地址了。我觉得这事意义不大。我看 v2ex 盗用的微博图床就是 http 的,也没有影响 v2ex 的 SEO。

效果

https 证书小绿锁

证书自动更新的定时任务

Certbot 自带了定时任务,会在证书过期前自动更新。最好手动检查一下 certbot 自动续期功能是否正常

测试这个功能是否好用,运行

sudo certbot renew --dry-run

感觉阿里云预约迁移之后,还是再测试一下,比较保险。

参考

  • https://letsencrypt.org/

tags: HTTPS 证书 certbot

关于作者 🌱

我是来自山东烟台的一名开发者,有敢兴趣的话题,或者软件开发需求,欢迎加微信 zhongwei 聊聊, 查看更多联系方式

谈笑风生

Yozo

freessl 免费一年证书.