接入HTTPS，給網站加一把綠色小鎖

什麼是HTTPS

關於HTTPS的概念，在《全站HTTPS來了》這篇文章已經有很是全面的描述，推薦細讀。

Let's Encrypt

最近忽然想把本身的博客弄成HTTPS，也不是爲了增強安全，只是喜歡折騰，並且感受加個綠色小鎖酷酷的。
HTTPS免費證書頒發機構有startSSL和letsencrypt，我使用的是letsencrypt。

安裝certbot

Letsencrypt官方建議使用certbot做爲ACME客戶端。

我使用的是Nginx + CentOS 6
經過腳本安裝certbot-auto：

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

若是你使用的python版本是2.6的，那麼你須要升級到2.7，至於升級方法請自行谷歌

配置

最開始我嘗試用certbot推薦的方法進行配置，結果總是註冊失敗。
後來找到了Nginx介紹的配置方法（也就是下面講到的方法）就OK了。

1. 建立配置文件

/etc/letsencrypt/configs/wuyanxin.com.conf

# the domain we want to get the cert for;
    # technically it's possible to have multiple of this lines, but it only worked
    # with one domain for me, another one only got one cert, so I would recommend
    # separate config files per domain.
    domains = wuyanxin.com 
        
    # increase key size
    rsa-key-size = 2048 # Or 4096
        
    # the current closed beta (as of 2015-Nov-07) is using this server
    server = https://acme-v01.api.letsencrypt.org/directory
        
    # this address will receive renewal reminders
    email = your-email
        
    # turn off the ncurses UI, we want this to be run as a cronjob
    text = True
        
    # authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
    # and then letting LE fetch it
    authenticator = webroot
    webroot-path = /data/www/wuyanxin.com/

2. 配置nginx,讓Let's Encrypt能夠訪問到臨時文件

加上這個location到你的nginx配置中

server {
      listen 80 default_server;
      server_name wuyanxin.com;
  
      location /.well-known/acme-challenge {
          root /data/www/wuyanxin.com;
      }
      ...
  }

驗證配置，重啓nginx

$ sudo nginx -t && sudo nginx -s reload

3. 請求證書

$ ./certbot-auto --config /etc/letsencrypt/configs/wuyanxin.com.conf certonly
  Updating letsencrypt and virtual environment dependencies......
  Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/wuyanxin.com.conf certonly
  
  IMPORTANT NOTES:
   - Congratulations! Your certificate and chain have been saved at
     /etc/letsencrypt/live/wuyanxin.com/fullchain.pem. Your cert
     will expire on date. To obtain a new version of the
     certificate in the future, simply run Let's Encrypt again.
     ...

4. 配置nginx 443端口指向證書

server {
      listen 443 ssl default_server;
      server_name wuyanxin.com;
  
      ssl_certificate /etc/letsencrypt/live/wuyanxin.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/wuyanxin.com/privkey.pem;
  
      ...
  }

配置http跳轉到https

server {
      listen 80;
      server_name wuyanxin.com;
      return 301 https://$server_name$request_uri;
  }

重啓Nginx

$ sudo nginx -t && sudo nginx -s reload

自動刷新證書

Let's encrypt 的證書有效期是90天，因此咱們應該在過時以前刷新證書。

• 準備以下腳本，保存到renew_letsencrypt.sh

#!/bin/sh
  
  cd /opt/letsencrypt/
  ./certbot certonly --config /etc/letsencrypt/configs/my-domain.conf
  
  if [ $? -ne 0 ]
   then
          ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
          echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
                   $ERRORLOG
   else
          nginx -s reload
  fi
  
  exit 0

• 若是/var/log/letsencrypt/不存在就先建立

• 容許crontab -e設置每兩個月刷新一次

0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh

總結

給本身的網站加上一把綠色小鎖就是這麼簡單，其實網上相關文章已經有不少了，這篇只是我本身爲網站上https時候的記錄，有問題歡迎反饋。

另外，不少國內網站可能會接入「多說」的評論，由於多說評論使用的第三方頭像爲http的，這會致使你頁面上的綠色小鎖變成灰色。
不過已經有人提出瞭解決方案，參考這兩篇文章：

1. 讓多說評論框完美支持 HTTPS

2. 巧用七牛https域名,無需反代讓多說支持SSL和CDN加速

參考

http://dwz.cn/4pgZCM
http://www.jianshu.com/p/eaac...