万维网发展到现在已经有二十多年的时间了,而在我看来HTTPS将会是未来至少二十年内的主流协议,它已经开始飞快的替换掉HTTP这种不安全的协议,但只要HTTPS存在,那HTTP就是不会退出历史舞台的.

废话少说.

Let’s Encrypt是去年十二月份开始公测的,可以免费申请SSL证书.其签发的证书已经获得了交叉信任,已经能被所有主流浏览器信任了.交叉签名来自 IdenTrust Root CA.

首先获取acme-tiny,然后建立私钥:

#建立let's encrypt 私钥
openssl genrsa 4096 > account.key
#建立域名私钥
openssl genrsa 4096 > domain.key
#生成域名请求证书
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yourdomain.com,DNS:www.youdomain.com,DNS:ddns.youdomain.com")) > domain.csr

#创建验证文件夹
mkdir -p /var/www/auth-let/

配置nginx:

server {
    listen 80;
    location /.well-known/acme-challenge/ {
        alias /var/www/auth-let/;
        try_files $uri =404;
    }
    #...
}

#开始申请
#成功后会生成signed.crt和domain.key
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/auth-let/ > ./signed.crt

#给Nginx安装
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > domain.pem

配置Nginx,要开启443端口,把80端口的所有配置复制过来,然后添加SSL配置后,重启Nginx:

server {
    listen 443;

    ssl on;
    ssl_certificate /path/to/domain.pem;
    ssl_certificate_key /path/to/domain.key;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_session_cache shared:SSL:50m;
    ssl_prefer_server_ciphers on;
    #...
}

Let’s Encrypt的证书三个月就会过期,所以要开启定时更新:

!/bin/bash

python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/auth-let/ > /tmp/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat /tmp/signed.crt intermediate.pem > /path/to/domain.pem
nginx -s reload