HTTPS 配置教程(二) 安全证书的续订

在上一篇文章 《HTTPS 配置教程(一)》 中,我们教会了大家如何使用 Let’s Encrypt 免费 https 证书来为网站 http://liluyang.me 加密。但是这种方式有一个缺点呢,就是证书的有效期只有 90 天,90 天之后我们就要重新生成证书才能让网站继续使用 https 服务,如果不重新生成证书,那么访问网站的时候我们的网站就会被浏览器标记为不安全的,例如 Chrome 浏览器就提示如下:

今天呢就给大家讲一下安全证书的续订,以及一些可能会遇到的问题!

证书续订

其实续订证书的方式很简单,如果顺利的话,只要执行一步就可以了。还是执行以下命令:

1
2
# 如果看不懂这行命令,请点击文章顶部的连接去看本系列文章的第一篇文章: https 配置教程
certbot certonly --webroot -w /root/docker_nginx/html -d liluyang.me -d www.liluyang.me

如果正常的话,看到 shell 中产生以下提示,就代表证书生成成功了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@localhost:~/docker_nginx/conf# certbot certonly --webroot -w /root/docker_nginx/html -d liluyang.me -d www.liluyang.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for liluyang.me
http-01 challenge for www.liluyang.me
Using the webroot path /root/docker_nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/liluyang.me/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/liluyang.me/privkey.pem
Your cert will expire on 2019-09-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

root@localhost:~/docker_nginx/conf#

生成成功后,还是将 pem 文件拷贝到 nginx 的配置目录中重启 nginx 即可重新享受 https 服务了。

以上操作步骤的详细说明请参考:《HTTPS 配置教程(一)》

本片文章主要的问题就是解决我自己在重新生成证书时遇到的以下错误:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
root@localhost:~/docker_nginx/html# certbot certonly --webroot -w /root/docker_nginx/html -d liluyang.me -d www.liluyang.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for liluyang.me
http-01 challenge for www.liluyang.me
Using the webroot path /root/docker_nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.liluyang.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://liluyang.me [104.194.69.99]: "<!DOCTYPE html>\n\n\n\n \n\n\n<html class=\"theme-next gemini use-motion\" lang=\"zh-Hans\">\n<head><meta name=\"generator\" content=\"Hexo 3.", liluyang.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://liluyang.me [104.194.69.99]: "<!DOCTYPE html>\n\n\n\n \n\n\n<html class=\"theme-next gemini use-motion\" lang=\"zh-Hans\">\n<head><meta name=\"generator\" content=\"Hexo 3."

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.liluyang.me
Type: unauthorized
Detail: Invalid response from https://liluyang.me [104.194.69.99]:
"<!DOCTYPE html>\n\n\n\n \n\n\n<html class=\"theme-next gemini
use-motion\" lang=\"zh-Hans\">\n<head><meta name=\"generator\"
content=\"Hexo 3."

Domain: liluyang.me
Type: unauthorized
Detail: Invalid response from https://liluyang.me [104.194.69.99]:
"<!DOCTYPE html>\n\n\n\n \n\n\n<html class=\"theme-next gemini
use-motion\" lang=\"zh-Hans\">\n<head><meta name=\"generator\"
content=\"Hexo 3."

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

产生这个问题的原因是在本次重新生成证书时我强制开启网站 http://liluyang.mehttp 请求到 https 请求的跳转,导致 Let’s Encrypt 无法正确的校验域名和服务器的关联关系从而导致证书生成失败,解决的办法就是修改 nginx 配置文件 nginx.conf(如果存在 conf.d/default.conf 文件请优先修改此文件,具体原因请百度) 将 https 强制跳转关掉即可。

1
2
3
4
5
6
# 注释掉以下配置 关闭强制 https 跳转
# server {
# listen 80;
# server_name liluyang.me www.liluyang.me;
# return 301 https://liluyang.me;
# }

在此执行生成证书的命令即可成功生成证书,配置成功后打开浏览器访问 https://liluyang.me 点击浏览器导航栏左侧 安全锁小图标,发现证书信息已经更新:

安全证书的有效时间已经更新,证明我们的设置已经生效了,你学会了吗?

参考链接

~


面条先生 wechat
欢迎关注我的 “知乎日报” 小程序