Let’s Encrypt是一个完全免费的https证书提供服务,link-nemo之前因为觉得麻烦,所以就没有做https方面的工作,正好现在有点时间,所以稍稍弄下。
这里的服务器环境是Ubuntu。
1、安装certbot-auto,可以参考官网:https://certbot.eff.org/#ubuntuother-nginx
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
2、生成证书:
./certbot-auto certonly --email nemomeng@link-nemo.com --agree-tos --no-eff-email --webroot -w /path-to-webroot -d www.link-nemo.com需要注意的是,这个命令中的path-to-webroot是指网站的根目录,比如,www.link-nemo.com可以直接访问到的根目录。
该指令执行过程可能会比较慢,也可以修改pip源为国内源来加速。
当看到如下输出,证明成功:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.link-nemo.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.link-nemo.com/privkey.pem
Your cert will expire on 2017-12-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
可以看到输出结果显示,输出文件存储在
/etc/letsencrypt/live/www.link-nemo.com/至此,证书生成完毕。
3、link-nemo的服务是跑在nginx + tomcat 下的,而之前nginx只监听了80端口,所以需要修改nginx,添加https需要监听的443 ssl端口,并且指定ssl证书的位置:
server{
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.link-nemo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.link-nemo.com/privkey.pem;
server_name www.link-nemo.com link-nemo.com;
#....此处省略一些别的配置
}
还需要调整下原来的http监听的80端口,把所有http的请求都转发为https:
server {
listen 80 default;
server_name www.link-nemo.com link-nemo.com;
#......此处省略了一些别的配置
}
4、保存后,重载下nginx服务:
service nginx restart重载过程若无错误,则访问http://www.link-nemo.com,正常情况下,该请求会被正常转发为https://www.link-nemo.com。
至此,https证书服务部署完毕。
5、不过,还需要注意的是,Let’s Encrypt证书的有效期只有90天,一旦过期,还需要更新下证书。这里可以添加系统事件,让系统自动更新证书即可。
cd 进入certbot-auto的存储目录,执行
./certbot-auto renew --dry-run 可以测试证书是否可以更新。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.link-nemo.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.link-nemo.com
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.link-nemo.com/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.link-nemo.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
OK,接下来在系统事件中添加定时任务:
输入
crontab -e添加
30 4 * * 1 /path-to-cerbot/certbot-auto renew --renew-hook "service nginx restart" --quiet > /dev/null 2>&1 &需要注意的是,这里的path-to-cerbot是指保存cerbot-auto文件的位置。
这样,设置了就每周一凌晨4点30自动更新证书,如果更新成功就自动重启nginx服务,证书在到期前30天内才能更新,多余的更新会自动忽略掉的,每周更新还有一个好处是更新可能会失败,这样最多还有4次的尝试机会来保证不会过期。
修改好后保存退出即可。
6、最后一下忽然想到去https://www.ssllabs.com做个评级。
浏览器打开:https://www.ssllabs.com/ssltest/analyze.html?d=www.link-nemo.com
证明还需要优化下ssl配置。
首先关掉ssl v2和ssl v3支持,这两个有安全问题,在nginx配置中的443监听服务中添加:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;再配置下dhparams长度,先执行如下操作:
$ cd /opt
$ mkdir dhparam
$ cd dhparam/
$ mkdir keys
$ cd keys/
$ openssl dhparam -out dhparams.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................................+.............................................................................................................................................+........................................................................................................................................................................+....................................................+......................................................................................................................................................................................................................................................................................................................................................................+..................+................................................+.+..............................................................................................................................................................................+.................................................................................................................................+......................................................................+..........................................................................................................................+............................................................................................................................................................................................+..+..........................................................................................................................+.........................................+.+...................+..........................+....................................................................+...............................................................................................................+...+...............+..........................................+.......................................................+..............................................................+...........................+........................................................................................+.........+................................................................+...................................+................................................+..............+....................+....................................................................................................................+.............................................+...........................................................................................................................................................+...................................+.............................................................................................+............................................................................................................................+............+................................+.................+...............................................................+...............................................................................................................................................................+.....................................+..............................................................................................................................................+..................................................+.....+......................................................................+...................................................+.........+..............................................................................+................+.....................................................................................+...............................................+........................................................................................................................................................+..................................+...................................................+....................................................................................................................+............................+.............................................................+..........................+...............+.............................+............++*++*
$ cd ..
$ sudo chmod 700 keys
然后修改nginx配置,添加一些配置,最终443监听服务会变成如下配置:
server{
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /opt/dhparam/keys/dhparams.pem;
ssl_certificate /etc/letsencrypt/live/www.link-nemo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.link-nemo.com/privkey.pem;
server_name www.link-nemo.com;
#......此处省略了一些别的配置
}重启nginx服务:
$ service nginx restart再次评级,等级即可到达A
