1. What is SSL Certificate?

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.

 

2. Obtain SSL Certificates From The Let‘s Encrypt ACME Server

SSL证书大家并不陌生,SSL证书价格也是较昂贵,本篇来教大家如何用getssl获取免费的SSL证书,给自己的网站保驾护航

 

Step 1: Get getssl from GitHub

首先从GitHub上获取getssl:

git clone https://github.com/srvrco/getssl

或者直接下载master.zip,附上链接地址:

https://github.com/srvrco/getssl/archive/master.zip

 

Step2: Create a Default Config File

创建一个默认的配置文件,操作如下:

cd getssl
./getssl -c yourdomain.com

这里yourdomain.com就是你要申请的证书域名,执行之后将会在~/.getssl目录下生成一个文件夹,文件夹的名字就是你的域名

 

Step3: Edit Config File

编辑默认的配置文件,配置文件的目录,以Mac为例: ~/.getssl/yourdomain.com/getssl.cfg

vim ~/.getssl/yourdomain.com/getssl.cfg

配置文件修改如下:

# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
#
# The staging server is best for testing
#CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"

#PRIVATE_KEY_ALG="rsa"

# Additional domains - this could be multiple domains / subdomains in a comma separated list
# Note: this is Additional domains - so should not include the primary domain.
SANS="www.yourdomain.com,sub.yourdomain.com"

# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
# An ssh key will be needed to provide you with access to the remote server.
# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
# If left blank, the username on the local server will be used to authenticate against the remote server.
# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
#ACL=('/var/www/yourdomain.com/web/.well-known/acme-challenge'
#     'ssh:server5:/var/www/yourdomain.com/web/.well-known/acme-challenge'
#     'ssh:sshuserid@server5:/var/www/yourdomain.com/web/.well-known/acme-challenge'
#     'ftp:ftpuserid:ftppassword:yourdomain.com:/web/.well-known/acme-challenge')
ACL=('/yourwebroot/.well-known/acme-challenge'
     '/yourwebroot1/.well-known/acme-challenge'
     '/yourwebroot2/.well-known/acme-challenge')

#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
#USE_SINGLE_ACL="false"

# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/yourpath/yourdomain.com.crt"
DOMAIN_KEY_LOCATION="/yourpath/yourdomain.com.key"
CA_CERT_LOCATION="/yourpath/chain.crt"
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert

# The command needed to reload apache / nginx or whatever you use
#RELOAD_CMD=""

# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="https"
#CHECK_REMOTE="true"

上面的配置看上去很多,其实需要配置的只有这几行:

#打开CA这一行,这是证书服务器
CA="https://acme-v01.api.letsencrypt.org"

#SANS这一行室配置你的域名,这里的域名是不包括主域名的,不需要写yourdomain.com,
#可以同时配置多个子域名,以逗号分隔
SANS="www.yourdomain.com,sub.yourdomain.com"

#ACL这一样是用来存放Acme Challenge文件的,这里是以换行识别的,
#上面配置几个域名,这里应该就是多一行,因为第一行是主域名Acme challenge文件存储位置
#多行可以是同一个,比如都是yourwebroot/.well-known/acme-challenge
#这里如果是存储到远程服务器,可以写成类似这样:
#'ssh:user@xxx.xxx.xx.xxx:/path/.well-known/acme-challenge'
#user就是你登录远程服务器的user,xxx.xxx.xxx.xxx就是你的ip或者域名
#申请证书的过程中会让你输入密码来完成上传
ACL=('/yourwebroot/.well-known/acme-challenge'
     '/yourwebroot1/.well-known/acme-challenge'
     '/yourwebroot2/.well-known/acme-challenge')

#这三行是cet,key,chain的存储目录
DOMAIN_CERT_LOCATION="/yourpath/yourdomain.com.crt"
DOMAIN_KEY_LOCATION="/yourpath/yourdomain.com.key"
CA_CERT_LOCATION="/yourpath/chain.crt"

 

Step 4: Request Certificate

配置好getssl.cfg就可以直接申请了

执行以下命令之前先需要确认你的服务器能正常读取到上面配置目录下的.txt文件,在申请证书的过程中,getssl会去访问它保存在.well-known/下面的文件,文件是一个.txt文件,所以你可以先在该目录下放置一个test.txt,用浏览器打开看看是否能访问,因为有些服务器的配置可能导致访问拒绝

确认好之后,现在可以执行如下命令:

./getssl yourdomain.com

如果一切正常,恭喜你,你的证书就已经申请完成

 

Step 5: Config Your Nginx or Other Server Config

申请好之后,就可以配置你的服务器来看看证书是否成功,下面用Nginx来举例:

server {
    #listen       443;
    listen       443 ssl;
    ssl on;
    ssl_certificate /yourpath/yourdomain.com.crt;
    ssl_certificate_key /yourpath/yourdomain.com.key;
    ...
}

重新Load一下Nginx配置:

nginx -s reload

然后用浏览器检测一下,恭喜你,已经成功申请到了ssl证书

 

Step 6: Refresh Your Certificate

getsll申请的证书有效期三个月,所以你需要在证书到期后重新申请证书,当然你也可以用脚本自动检查更新证书

下面以CentOS举例,建一个Crontab任务去更新,操作如下:

23 5 * * * /your.getssl.path/getssl -u yourdomain.com -q > /tmp/getssl.txt

-u表示update, -q表示quite,如果不出错,没有log,如果出错了,看看/tmp/getssl.txt查一下具体原因

这样你就可以自动的去更新你的ssl证书,不必担心证书过期导致服务无法访问了

The end!