使用let’s encrypt让自己的博客启用https（基于debian7+apache2）之前用过starssl的免费ssl证书，现在到期了，因为申请和续期都很麻烦，所以懒得再弄。最近在网上看到去年底，成立了个新机构（from wiki）： Let’s Encrypt 是一个将于2015年末推出的数字证书认证机构，将通过旨在消除当前手动创建和安装证书的复杂过程的自动化流程，为安全网站提供免费的SSL/TLS证书。一是简单，二是免费，为啥不用呢，于是看了看文档，就开始弄了：假如你是example.com 的所有者，只要在server端登录，并执行： Shell 1 2 3 wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto certonly –webroot -w /var/www/example -d example.com -d www.example.com 如果之前域名解析正常可以访问的话，会有如下提示： Vim 1 2 3 4 5 6 7 8 9 10 11 IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at ?? /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will ?? expire on 2016-08-29. To obtain a new or tweaked version of this ?? certificate in the future, simply run certbot-auto again. To ?? non-interactively renew *all* of your ceriticates, run ?? “certbot-auto renew” - If you like Certbot, please consider supporting our work by: ? ?? Donating to ISRG / Let’s Encrypt:?? https://letsencrypt.org/donate ?? Donating to EFF:????????????????????https://eff.org/donate-le 说明证书链和私钥、证书已经产生了。。。如果失败，则会有类似提示： Vim 1 2 3 4 5 6 7 8 9 10 Failed authorization procedure. www.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/OJvVsXKC4odxeV4darP05x4T7-ymOykX0UT6jqh0rees: “ 403 Forbidden

Forbidden

ServerName ip地址，防止直接ip访问 Order Allow,Deny Deny from all ? ? ? ?? ????????Header always set Strict-Transport-Security “max-age=15553000; includeSubDomains; preload” ?? ??RewriteEngine on ??RewriteCond %{SERVER_PORT} !^443$ ??RewriteRule ^(.*)?$ https://routeragency.com/$1 [L,R] ? ? ??DirectoryIndex index.html index.php ??DocumentRoot /var/www/example.com/public_html/ ??ServerName routeragency.com:443 ??ServerAlias routeragency.com example.com www.routeragency.com ??SSLEngine On ??SSLProtocol ALL -SSLv2 -SSLv3 ??SSLHonorCipherOrder on ??SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 ??SSLCompression Off ??SSLOptions +StrictRequire ??SSLCertificateFile??/etc/letsencrypt/live/routeragency.com/fullchain.pem ??SSLCertificateKeyFile /etc/letsencrypt/live/routeragency.com/privkey.pem ??SSLCACertificateFile /etc/letsencrypt/live/routeragency.com/chain.pem ? ??DirectoryIndex index.html index.php ??DocumentRoot /var/www/example.com/public_html/ ??ServerName routeragency.com ??ServerAlias www.example.com www.routeragency.com example.com 然后重启apache服务： Shell 1 service apache2 restart 最后在crotab中设置2个月更新一次证书（因为这个机构的证书只有3个月有效期）： Shell 1 crontab -e 添加定时任务 Shell 1 0 0 1 */2 * xxx/certbot/certbot-auto renew && /etc/init.d/apache2 restart 搞定，简单吧。。。可以到www.ssllabs.com测试一下评级，满足一下虚荣心。。。参考资料： 1.https://letsencrypt.org/getting-started/ 2.https://certbot.eff.org/#debianwheezy-apache 3.https://ksmx.me/letsencrypt-ssl-https/?utm\_source=v2ex&utm\_medium=forum&utm\_campaign=20160529 4.http://blog.rlove.org/2013/12/strong-ssl-crypto.html