一、问题
让网站(http://www.example.com )支持 https 协议,能正常访问( https://www.example.com)这个链接。
二、解决方案
https 其实就是通过 ca 证书,对服务器和域名进行实名认证。这里使用公益组织 Let's Encrypt 提供的工具 certbot 免费生成 ca 证书。
1、服务器环境:
- Ubuntu:服务器操作系统;
- nginx:用于部署运行网站的服务器;
www.example.com :经过备案且能正常解析到服务器;
2、安装 certbot
certbot 是 公益组织 Let's Encrypt 提供的 ca证书 生成工具。
sudo apt-get update;
sudo apt-get install software-properties-common;
sudo add-apt-repository ppa:certbot/certbot;
sudo apt-get update;
Ubuntu14用这个命令:sudo apt-get install python-certbot-nginx;
Ubuntu20用这个命令:sudo apt-get install python3-certbot-nginx
3、生成 ca证书
sudo certbot --nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.example.com
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.example.com/privkey.pem
Your cert will expire on 2019-02-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
4、访问https
现在即可使用 https://www.example.com 来访问网站了。
5、证书过期问题
ca证书的使用期限是90天,可以通过下面命令自动续签更新,永不过期。
sudo certbot renew --dry-run
三、参考文档
|