处于安全考虑个人网站可以把http服务改成 https服务,网络上有很多方法来自己做数字签名。但是浏览器在连接该网站时候会报不安全连接,有些浏览器会因此拒绝连接,比如IE。chrome则问很多问题再三确认是否继续连接。这个会让使用者很厌烦。产生这个问题原因是个人生成的数字签名不被浏览器认可,因为数字签名没有被有关机构认证。
网上有很多收费提供https签名认证服务的网站,但价格还是有些高,对于个人网站来说,没有必要交付这个费用。现在有一个免费提供签名的网站,Let’s Encrypt。通过它提供的签名,任何浏览器都可以正常访问自己的https网站了。安装过程很简单,我在自己的树莓派上的操作过程如下:
- 首先可以ssh到自己的网站,当然这个要求很好满足,我的树莓派就在手边。但对于在其他网站上的个个人网页服务,有些可能不能提供这个服务。对于无法ssh的问题,不在本文考虑之内,请参考其他网站。
- 有自己的域名,这个当然也是必须的,签名认证就是认证域名。我自己的是在changeip免费注册的域名。
- 一个正在运行的apache网页服务器。在安装过程中,务必保证服务保持运行状态。
- 说一下我的软硬件,树莓派3,运行raspbian Jessie,安装了apache2。自己作过数字签名,但如以上原因,通常会被报不安全连接。
- 安装过程,参考https://letsencrypt.org/getting-started/ , 下面根据我的操作一步一步来:
- 首先安装jessie-backports,由于raspbian包里没有backports软件,需要在/etc/apt的list里加上源:
1) Add the line ‘deb ftp://ftp.nl.debian.org/debian jessie-backports main contrib non-free’.
2) apt-get update
3) apt-get install python-certbot-apache -t jessie-backports
此时有可能会报该源数字签名问题的错,但是不用管它,继续安装。
- 运行命令
certbot –apache
这个命令自动设置所需所有内容,根据提示一步一步操作。
- 安装完成后,重起apache 服务, 安装到此结束。现在已经是安全连接的https的网站了。
注意问题:
- 由于自己曾经做过个人数字签名,所以需要把原来sites-enable目录的其他原来配置删除(或者移到其他目录保存)。刚才安装过程中已经重新生成了基于新数字签名的apache2 服务配置文件。
- 因为需要redirect所有http (80)请求到https (443),需要修改自动生成的sites-enable里的配置文件,我是把原来这部分的配置拷贝过来了。
大约每3个月需要renew一下。
renew时候以root身份运行下面命令:
certbot renew –dry-run
可参考下面网站:
https://certbot.eff.org/#debianjessie-apache
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
$ sudo certbot renew –dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:
certbot renew
default
https://certbot.eff.org/lets-encrypt/debianjessie-apache
SSH into the server
SSH into the server running your HTTP website as a user with sudo privileges.
Remove packaged Certbot installation
We previously recommended that Debian 8 (jessie) users install Certbot from the packaged version. Because of important updates in the Certbot code, we are now recommending that Debian 8 users switch to the certbot-auto method, described below.
Run this command on the command line on the machine to remove previous installations of Certbot. If Certbot has never been installed, the command will not do anything.
sudo apt-get remove certbot
Install Certbot
Run these commands on the command line on the machine to install Certbot.
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
Choose how you’d like to run Certbot
Either get and install your certificates…
Run this command to get a certificate and have Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step.
sudo /usr/local/bin/certbot-auto –apache
Or, just get a certificate
If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, run this command.
sudo /usr/local/bin/certbot-auto certonly –apache
Set up automatic renewal
We recommend running the following line, which will add a cron job to the default crontab.
echo “0 0,12 * * * root python -c ‘import random; import time; time.sleep(random.random() * 3600)’ && /usr/local/bin/certbot-auto renew” | sudo tee -a /etc/crontab > /dev/null
Confirm that Certbot worked
To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.
2021-06-08更新。
更新方式有变化,参考链接:https://certbot.eff.org/lets-encrypt/debianbuster-apache
上面的链接失效,见下面的链接:
https://certbot.eff.org/instructions?ws=apache&os=debian-10