如果想要在自己的网站启用 HTTPS,我们需要从证书颁发机构(CA)获取证书,并部署到自己的服务器上,而这张证书则被称为 SSL 证书。
HTTP协议无法加密数据,数据传输可能产生泄露、篡改或钓鱼攻击等问题,而启用HTTPS后,可帮助Web服务器和网站间建立可信的HTTPS协议加密链接,为您的网站安全加锁,保证数据安全传输。 另外,像微信小程序、支付宝小程序等,在我们配置项目域名时,也都需要使用 https。所以,有时候使用ssl证书也是一种强制行为。
既然 SSL 证书能提升安全性,我们当然可以部署SSL证书了,获取ssl证书的渠道有以下两种方式:
SSL 证书有三种类型:
所以, 证书等级越高,需要的费用也就越高。而目前,SSL 证书最长有效期为一年(之前为两年),需要每年进行购买与替换。
当然,也有免费获取证书的渠道。
我们可以通过阿里云申请免费的证书,注意,通过阿里云申请免费的SSL证书,无法申请通配符域名证书,只能申请单域名证书,而且每年限制申请20张,每张证书有效期为1年,不过对于个人来说应该是绰绰有余了。
如果我们即不想付费,还想申请通配符域名证书,就需要通过 Let's Encrypt 来生成自己的通配符域名。Let's Encrypt 是免费、开放和自动化的证书颁发机构。由非盈利组织互联网安全研究小组(ISRG)运营。
不过 Let's Encrypt 生成的 SSL 证书有个限制,证书有效期为 3 个月,所以需要格外注意,定时生成证书和替换。
curl -o /etc/yum.repos.d/epel-7.repo https://mirrors.aliyun.com/repo/epel-7.repo
yum install -y certbot
certbot certonly -d *.dev.evente.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
openssl x509 -in /etc/letsencrypt/live/dev.evente.cn/cert.pem -noout -text
#X509v3 Subject Alternative Name:
# DNS:*.dev.evente.cn
ssl on;
ssl_certificate /etc/letsencrypt/live/dev.evente.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.evente.cn/privkey.pem;
[root@mosh-dev-1 cert]# certbot certonly -d *.dev.evente.cn --manual \
> --preferred-challenges dns \
> --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): tianjingwen@eventmosh.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for *.dev.evente.cn
Performing the following challenges:
dns-01 challenge for dev.evente.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.dev.evente.cn with the following value:
cXsppHLitr-_9SL4RoPq8A5A2fvIYJlNILsJAPqSjHc
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dev.evente.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dev.evente.cn/privkey.pem
Your certificate will expire on 2021-05-26. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
通过上面流程,我们就可以生成一张自己域名的 SSL 证书了,然后将证书部署到我们的服务器即可使用了。
参考文章: