网站SSL证书申请及配置
SSL(Secure Sockets Layer,安全套接层)是现今大多数网站提供的一种网络安全通信服务,SSL 是一种安全通讯协议,具备传输加密功能,确保通讯两端传递的数据的安全性和完整性。网站实现 SSL 服务后,前端的用户访问网站之前,需要先通过 SSL 做相互认证,通过后才能进行加密的数据传输,从而保证通讯不被劫持,避免数据被修改。
那么如何对网站进行认证呢,这就需要给网站颁发 SSL 证书,而获取 SSL 证书则需要向具备证书颁发资质的认证机构申请。目前国内具备证书颁发资质的公司如阿里、腾讯,国外比较知名的如 Let’s Encrypt(免费)、GoDaddy。
本教程以 Let’s Encrypt 为例介绍 SSL 证书的申请和配置方法,Let’s Encrypt 是目前使用量最大的 SSL 证书,由于其申请和使用免费,受到广泛的欢迎。需要注意一点的是 Let’s Encrypt 证书只有90天的有效期,到期后需要续期,教程里也会介绍续期的方法。
首先使用下面的命令安装 certbot 工具(debian):
$mkdir cert
$cd cert
$wget https://dl.eff.org/certbot-auto
$chmod 0755 certbot-auto
$certbot-auto –help
接着用下面的命令验证工具的完整性:
$wget -N https://dl.eff.org/certbot-auto.asc
$gpg2 –keyserver pool.sks-keyservers.net –recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
$gpg2 –trusted-key 4D17C995CD9775F2 –verify certbot-auto.asc /usr/local/bin/certbot-auto
输出像下面这样:
gpg: Signature made Wed 02 May 2018 05:29:12 AM IST
gpg: using RSA key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: key 4D17C995CD9775F2 marked as ultimately trusted
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 2 signed: 0 trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2027-11-22
gpg: Good signature from “Let’s Encrypt Client Team letsencrypt-client@eff.org” [ultimate]
接下来用下面的命令获取 SSL 证书:
$./certbot-auto certonly -d *.example.com –manual –preferred-challenges dns –server https://acme-v02.api.letsencrypt.org/directory
上面命令的 -d 参数指定网站的域名(可以使用通配符号),验证方法使用的是 dns (域名服务方式),输出如下:
“sudo” is not available, will use “su” for installation steps…
Requesting to rerun ./certbot-auto with root privileges…
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
————————————————-
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.
Are you OK with your IP being logged?
————————————————-
(Y)es/(N)o: y
————————————————-
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
Q5xw-L4-ZqoRYMuMIkms-G5s4fOYEdYi-JrBPckkHw8
Before continuing, verify the record is deployed.
————————————————-
Press Enter to Continue
##注意在按回车键之前,需要在 DNS 服务商的管理工具页面部署一条 TXT 记录:
HOSTNAME: _acme-challenge.example.com | TYPE: TXT | ADDRESS/VALUE:
Q5xw-L4-ZqoRYMuMIkms-G5s4fOYEdYi-JrBPckkHw8(修改为当时生成的键值)
##判断 TXT 记录是否有效,使用下面的命令:
$dig -t txt _acme-challenge.example.com @8.8.8.8
记录生成后按回车键
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-03-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
“certbot-auto renew”
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
通过上述步骤后,SSL 证书就申请好了,存放在 /etc/letsencrypt/live/example.com/目录下,给网站安装证书就是在Web服务器的配置文件里指定证书的存放位置,参考文章《网站建站教程(一)》子配置文件 “ssl_certificate、ssl_certificate_key” 部分的内容。
另外,文章开始提到了 Let’s Encrypt SSL 证书的有效期是90天,到期前需要续期,
Let’s Encrypt 也会发邮件提醒,使用下面的命令续期证书:
$./certbot-auto certonly –manual –preferred-challenges dns
按照提示重复上面申请证书时类似的过程,证书获取后,如果存放位置没有变动,新证书就可以生效了,这样网站的 SSL 服务就新续期90天了。