我們都知道https是一個安全的連線加密機制,但一想到申請憑證就需要付一大筆費用。若非是商業網站像我這樣的個人網誌,就會覺得是一筆多餘的開銷
不過近幾年來出現了一個名為Let’s Encrypt的數位憑證認證機構(CA)推出免費SSL/TLS憑證服務
不過缺點就是憑證的效期只有三個月,也就是說每三個月要更新一次,但別擔心有自動更新機制。所以既然是免費的,因此本人的Blog就開始強迫走https連線囉~
申請和設定的步驟如下:
1.確保你的防火牆有開通80與443 port
sudo ufw allow 80
sudo ufw allow 443
2.安裝Let’s Encrypt工具
sudo apt install letsencrypt
3.查看certbot.timer是否啟動,每兩天會確認一次憑證效期,自動展期(renewal)30天後到期的憑證
sudo systemctl status certbot.timer
4. 取得Let's Encrypt SSL憑證,指定你的domain-name.com
sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d learn-house.idv.tw
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): 輸入你的mail - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: 可選擇N Obtaining a new certificate Performing the following challenges: http-01 challenge for learn-house.idv.tw Cleaning up challenges Problem binding to port 80: Could not bind to IPv4 or IPv6. IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
5. 自動安裝SSL憑證。要先安裝CertBot工具,執行後若沒設定443 port的vitrualhouse則會自動幫你建一個,若已經有建立則會自動找到你virtualhost的設定檔更新
sudo apt install python3-certbot-apache
sudo certbot --apache --agree-tos --preferred-challenges http -d learn-house.idv.tw
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: http-01 challenge for learn-house.idv.tw Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/blog.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 可選擇1 Congratulations! You have successfully enabled https://learn-house.idv.tw You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=learn-house.idv.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/learn-house.idv.tw/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/learn-house.idv.tw/privkey.pem Your cert will expire on 2021-04-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
這樣就大功告成囉~
參考資料:https://serverspace.io/support/help/how-to-get-lets-encrypt-ssl-on-ubuntu/
[2021.6.6]手動展期憑證
由於5月17日本人不會用愛發電導致停電後主機損毀,雖然平日有備份的習慣也包含憑證,但恢復後,自動展期程序卻沒有作用,導致今日憑證過期需重新執行
sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d learn-house.idv.tw
但出現
Problem binding to port 80: Could not bind to IPv4 or IPv6.
解決方式是是關掉你的web server看您是用apache2還是nginx:
sudo service apache2 stop
or
sudo service nginx stop
Place your comment