Google Chrome从版本62起对所有http开头的网站都会标记不安全,而且不会给其搜索权重,当然只是国内的可能不那么严格吧,因为我看到很多国内IT巨头很多时候还是http,所以说国内有些东西怎么会跟得上别人的步伐,只不过以后就不好说。
我觉得给网站安装SSL证书加密是很有必要的,如果是做外贸的那更不必说,不过很多全托管主机也不需要自己安装了。Let’s Encrypt是国外最大的免费SSL证书提供商,此文主要是应用于自己购买非托管VPS,基于OpenLiteSpeed搭建网站安装配置Let’s Encrypt SSL。
安装Certbot
要获得Let’s Encrypt SSL证书需要安装一个工具叫做certbot,首先添加certbot源或者说更新centos软件库
# CentOS 7 / RHEL 7 #
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install epel-release
# CentOS 8 / RHEL 8 #
rpm -Uvh http://rpms.litespeedtech.com/centos/litespeed-repo-1.1-1.el8.noarch.rpm
dnf -y install epel-release
安装certbot
# CentOS 7 / RHEL 7 #
yum install certbot
# CentOS 8 / RHEL 8 #
dnf install certbot
请确保OpenLiteSpeed是开启正在运行,至于如何安装并配置OpenLiteSpeed请参考此文:
systemctl status lsws //或者
/usr/local/lsws/bin/lswsctrl status
前者返回绿色Active表示正在运行,后者返回如下
litespeed is running with PID 6230. //数字可能不同的
获取的Let’s Encrypt SSL证书
在创建证书过程中,请确保为你的域名正确设置了虚拟主机,并且可以通过Internet访问它,certbot会在你的OpenLiteSpeed虚拟主机(Virtual Host)的网站根目录中创建.well-known / acme-challenge目录;然后,让Let’s Encrypt的加密验证服务器执行HTTP请求,并验证域名是否正确解析到了当前服务器IP。
在SSH中输入以下命令:
certbot certonly --webroot -w /usr/local/lsws/example.com/html -d example.com -d www.example.com
//红色字段是你的网站根目录,需添加的域名请在-d之后一个一个列出,可包括子域名,建议需要的子域名都添加到后面,这样后面端口配置的时候可以统一一个证书,www.example.com也算子域名
然后按照以下设置生成证书,以下是我以自己的域名为例生成的:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 你的邮箱
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web.itzgeek.com
Using the webroot path /usr/local/lsws/qingsongb2c.com/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/qingsongb2c.com/fullchain.pem. Your cert will
expire on 2017-11-24. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
之后所有的证书相关文件都会在/etc/letsencrypt/live/example.com/中,其中包括
- cert.pem – 域名SSL证书
- chain.pem – CA证书
- fullchain.pem – 证书合集包括以上两个证书.
- privkey.pem – 私钥Private key
在OpenLiteSpeed中配置证书
LiteSpeed服务器的配置是图形化的操作,可通过以下地址进入,更多OpenLiteSpeed配置请看此文:OpenLiteSpeed服务器配置。
http://ip:7080 //你的云主机或者VPS的公网IP
1. 登录OpenLiteSpeed后台之后,通过左侧菜单的Listeners添加新的Listener(端口)

2. 配置Listener,保存

3. 将Virtual Host映射到新的Listener端口,从Listeners –> qingsongb2c.com –> General –> Virtual Host Mappings –> Add

先选择你需要映射的Virtual Host,然后输入你的域名,保存
4. 设置Listener的SSL,Listeners –> qingsongb2c.com –> SSL –> SSL Private Key & Certificate
Private Key File: /etc/letsencrypt/live/qingsongb2c.com/privkey.pem
Certificate File: /etc/letsencrypt/live/qingsongb2c.com/fullchain.pem
Chained Certificate: Yes
CA Certificate Path: /etc/letsencrypt/live/qingsongb2c.com/
CA Certificate File: /etc/letsencrypt/live/qingsongb2c.com/cert.pem
Protocol Version: SSL v3.0 TLS v1.0 TLS v1.1 TLS v1.2 TLS v1.3
SSL Renegotiation Protection: Yes
Enable Session Cache: Yes
Enable SPDY/HTTP2/HTTP3: HTTP/2 HTTP/3
Allow QUIC: Yes
5. 重启OpenLiteSpeed,如图

6. 验证是否设置成功,在dashboard中往下拉看看刚刚配置的端口是否是绿色,如下图

当然了你可以直接在浏览器输入https://example.com看看是否能打开。
更新SSL证书
Let’s Encrypt的免费SSL证书只有90天有效期,在之后你需要自己更新证书,以保证网站的正常运行:
certbot renew --dry-run
返回如下
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/qingsongb2c.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for qingsongb2c.com and www.qingsongb2c.com
Performing the following challenges:
http-01 challenge for qingsongb2c.com
http-01 challenge for www.qingsongb2c.com
Using the webroot path /usr/local/lsws/qingsongb2c.com/html/ for all unmatched domains.
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/qingsongb2c.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/qingsongb2c.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
你也可以通过以下方式设置自动更新,每12小时更新一次:
crontab -e
然后,按”i”,输入以下信息
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "systemctl restart lsws"
差不多就是这样了,此方法同样适用Apache web服务器,只是需要你通过编辑apache的配置文件来配置SSL。
版权声明:本文原创文章,首发于青松跨境B2C,版权所有,未经允许,请勿转载!
转载请注明:如若转载,请先取得同意,然后注明原文链接。