启用阿里免费证书

申请证书

查看:申请免费DV试用证书

安装证书

基本操作参考:在Nginx/Tengine服务器上安装证书,这里具体讲下Nginx上的配置。

1.在nginx根目录(默认为/etc/nginx)下创建目录cert。

1
2
cd /etc/nginx
mkdir cert

2.把下载的证书两个文件.pem和.key上传到目录cert中。

3.修改nginx配置文件。vi /etc/nginx/conf.d/hexo.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
server {
listen 80;
server_name bore.vip www.bore.vip;
rewrite ^(.*)$ https://$server_name$1 permanent;
}
server {
listen 443;
root /var/www/hexo;
server_name bore.vip www.bore.vip;
ssl on;
ssl_certificate /etc/nginx/cert/xxxx.pem;
ssl_certificate_key /etc/nginx/cert/xxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/hexo_access.log;
error_log /var/log/nginx/hexo_error.log;
error_page 404 = /404.html;
location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
root /var/www/hexo;
access_log off;
expires 1d;
}
location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
root /var/www/hexo;
access_log off;
expires 10m;
}
location / {
root /var/www/hexo;
if (-f $request_filename) {
rewrite ^/(.*)$ /$1 break;
}
}
location /nginx_status {
stub_status on;
access_log off;
}
}

4.修改hugo站点配置文件_config.toml

baseURL = "https://bore.vip/"

5.开启负载均衡

在阿里云SSl证书控制台,依次选择部署—负载均衡—选择所有区域,然后部署。

6.重启nginx服务。

ubuntu、centos 6

/etc/init.d/nginx restart

centos 7、8

1
systemctl restart nginx

添加 Let’s Encrypt 免费证书

Ubuntu上的操作

安装 Certbot

在 Ubuntu 上只需要简单的一行命令:

sudo apt-get install letsencrypt

其他的发行版可以在这里选择。

使用 webroot 自动生成证书

Certbot 支持多种不同的「插件」来获取证书,这里选择使用 webroot 插件,它可以在不停止 Web 服务器的前提下自动生成证书,使用 --webroot 参数指定网站的根目录。

letsencrypt certonly --webroot -w /var/www/hexo -d iwyang.top

这样,在 /var/www/hexo 目录下创建临时文件 .well-known/acme-challenge ,通过这个文件来证明对域名 iwyang.top 的控制权,然后 Let’s Encrypt 验证服务器发出 HTTP 请求,验证每个请求的域的 DNS 解析,验证成功即颁发证书。

生成的 pem 和 key 在 /etc/letsencrypt/live/ 目录下

cert.pem 用户证书
chain.pem 中间证书
fullchain.pem 证书链, chain.pem + cert.pem
privkey.pem 证书私钥

`

自动续期

Let’s Encrypt 的证书有效期为 90 天,不过我们可以通过 crontab 定时运行命令更新证书。

先运行以下命令来测试证书的自动更新:

letsencrypt renew --dry-run --agree-tos

如果一切正常,就可以编辑 crontab 定期运行以下命令:

1
2
crontab -e
* 2 * * * service nginx stop & letsencrypt renew & service nginx start

配置 Nginx

修改 Nginx 配置文件中关于证书的配置:

1
vi /etc/nginx/conf.d/hexo.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
server {
listen 80;
server_name iwyang.top www.iwyang.top;
rewrite ^(.*)$ https://$server_name$1 permanent;
}
server {
listen 443;
root /var/www/hexo;
server_name iwyang.top www.iwyang.top;
ssl on;
ssl_certificate /etc/letsencrypt/live/iwyang.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/iwyang.top/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/hexo_access.log;
error_log /var/log/nginx/hexo_error.log;
error_page 404 = /404.html;
location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
root /var/www/hexo;
access_log off;
expires 1d;
}
location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
root /var/www/hexo;
access_log off;
expires 10m;
}
location / {
root /var/www/hexo;
if (-f $request_filename) {
rewrite ^/(.*)$ /$1 break;
}
}
location /nginx_status {
stub_status on;
access_log off;
}
}

然后重启 Nginx ,应该就可以看到小绿标了。/etc/init.d/nginx restart

Centos 8上的操作

安装Certbot

1
2
yum install epel-release -y
yum install certbot -y

然后执行:

1
certbot certonly --webroot -w /var/www/hexo -d bore.vip -m 455343442@qq.com --agree-tos

配置Nginx

顶级域名参考上面Ubuntu Nginx的配置,二级域名操作如下:

1
vi /etc/nginx/conf.d/hexo.conf

现在用的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
server {
listen 80;
listen 127.0.0.1:443 ssl http2 proxy_protocol;
root /var/www/hexo;
server_name bore.vip www.bore.vip;
if ($host != 'bore.vip' ) {
rewrite ^/(.*)$ https://bore.vip/$1 permanent;
}
if ($ssl_protocol = "") {
return 301 https://$host$request_uri;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/bore.vip/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bore.vip/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
access_log /var/log/nginx/hexo_access.log;
error_log /var/log/nginx/hexo_error.log;
error_page 404 = /404.html;
location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
root /var/www/hexo;
access_log off;
expires 1d;
}
location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
root /var/www/hexo;
access_log off;
expires 10m;
}
location / {
root /var/www/hexo;
if (-f $request_filename) {
rewrite ^/(.*)$ /$1 break;
}
}
location /nginx_status {
stub_status on;
access_log off;
}
}

以前用的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
server {
listen 80;
server_name bore.vip www.bore.vip;
rewrite ^(.*)$ https://$server_name$1 permanent;
}
server {
listen 443;
root /var/www/hexo;
server_name bore.vip www.bore.vip;
ssl on;
ssl_certificate /etc/letsencrypt/live/bore.vip/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bore.vip/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/hexo_access.log;
error_log /var/log/nginx/hexo_error.log;
error_page 404 = /404.html;
location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
root /var/www/hexo;
access_log off;
expires 1d;
}
location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
root /var/www/hexo;
access_log off;
expires 10m;
}
location / {
root /var/www/hexo;
if (-f $request_filename) {
rewrite ^/(.*)$ /$1 break;
}
}
location /nginx_status {
stub_status on;
access_log off;
}
}

重启Nginx生效:

1
systemctl restart nginx

证书自动更新

由于这个证书的时效只有 90 天,我们需要设置自动更新的功能,帮我们自动更新证书的时效。首先先在命令行模拟证书更新:

1
certbot renew --dry-run

模拟更新成功的效果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
## 可以看到两个域名续期成功
The following certs were successfully renewed:
/etc/letsencrypt/live/blog.bore.vip/fullchain.pem (success)
/etc/letsencrypt/live/f.bore.vip/fullchain.pem (success)
## 以下失败的一个域名不用管
The following certs could not be renewed:
/etc/letsencrypt/live/novel.bore.vip/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

在无法确认你的 nginx 配置是否正确时,一定要运行模拟更新命令,确保certbot和服务器通讯正常。使用 crontab -e 的命令来启用自动任务,命令行:

1
crontab -e

添加配置:(每隔两个月凌晨2:30自动执行证书更新操作)后保存退出。

1
30 2 * */2 * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

查看证书有效期的命令:

1
openssl x509 -noout -dates -in /etc/letsencrypt/live/bore.vip/cert.pem

Debian10上的操作

安装 Certbot

1
sudo apt-get install letsencrypt -y

使用 webroot 自动生成证书

1
certbot certonly --webroot -w /var/www/hexo -d bore.vip -m 455343442@qq.com --agree-tos

编辑Nginx

1
vi /etc/nginx/conf.d/hexo.conf

hexo用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
server {
listen 80;
listen [::]:80;
root /var/www/hexo;
server_name bore.vip www.bore.vip;
if ($host != 'bore.vip' ) {
rewrite ^/(.*)$ https://bore.vip/$1 permanent;
}
listen 443 ssl; # managed by Certbot

# RSA certificate
ssl_certificate /etc/letsencrypt/live/bore.vip/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/bore.vip/privkey.pem; # managed by Certbot


# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}

现在用的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
server {
listen 80;
listen 127.0.0.1:443 ssl http2 proxy_protocol;
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
root /var/www/hexo;
server_name bore.vip www.bore.vip;
if ($host != 'bore.vip' ) {
rewrite ^/(.*)$ https://bore.vip/$1 permanent;
}
if ($ssl_protocol = "") {
return 301 https://$host$request_uri;
}
ssl_certificate /etc/letsencrypt/live/bore.vip/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bore.vip/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
access_log /var/log/nginx/hexo_access.log;
error_log /var/log/nginx/hexo_error.log;
error_page 404 = /404.html;
location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
root /var/www/hexo;
access_log off;
expires 1d;
}
location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
root /var/www/hexo;
access_log off;
expires 10m;
}
location / {
root /var/www/hexo;
if (-f $request_filename) {
rewrite ^/(.*)$ /$1 break;
}
}
location /nginx_status {
stub_status on;
access_log off;
}
}

以前用的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
server {
listen 80;
server_name bore.vip www.bore.vip;
rewrite ^(.*)$ https://$server_name$1 permanent;
}
server {
listen 443;
root /var/www/hexo;
server_name bore.vip www.bore.vip;
ssl on;
ssl_certificate /etc/letsencrypt/live/bore.vip/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bore.vip/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/hexo_access.log;
error_log /var/log/nginx/hexo_error.log;
error_page 404 = /404.html;
location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
root /var/www/hexo;
access_log off;
expires 1d;
}
location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
root /var/www/hexo;
access_log off;
expires 10m;
}
location / {
root /var/www/hexo;
if (-f $request_filename) {
rewrite ^/(.*)$ /$1 break;
}
}
location /nginx_status {
stub_status on;
access_log off;
}
}

测试配置是否有问题:

1
nginx -t

重启Nginx生效:

1
systemctl restart nginx

自动续期

Let’s Encrypt 的证书有效期为 90 天,不过我们可以通过 crontab 定时运行命令更新证书。

先运行以下命令来测试证书的自动更新:

1
certbot renew --dry-run

如果一切正常,就可以编辑 crontab 定期运行以下命令:

1
crontab -e
1
30 2 * */2 * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

查看证书有效期的命令:

1
openssl x509 -noout -dates -in /etc/letsencrypt/live/bore.vip/cert.pem

https www跳转

1
2
3
4
5
6
7
8
9
10
11
12
upstream halo {
server 127.0.0.1:8090;
}
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name bore.vip www.bore.vip;
+ if ($host != 'bore.vip' ) {
+ rewrite ^/(.*)$ https://bore.vip/$1 permanent;
+ }

参考链接