一、问题
让网站(http://www.example.com )反对 https 协定,能失常拜访( https://www.example.com)这个链接。
二、解决方案
https 其实就是通过 ca 证书,对服务器和域名进行实名认证。这里应用公益组织 Let's Encrypt 提供的工具 certbot 收费生成 ca 证书。
1、服务器环境:
- Ubuntu:服务器操作系统;
- nginx:用于部署运行网站的服务器;
www.example.com:通过备案且能失常解析到服务器;
2、装置 certbot
certbot 是 公益组织 Let's Encrypt 提供的 ca证书 生成工具。
sudo apt-get update;sudo apt-get install software-properties-common;sudo add-apt-repository ppa:certbot/certbot;sudo apt-get update;Ubuntu14用这个命令:sudo apt-get install python-certbot-nginx;Ubuntu20用这个命令:sudo apt-get install python3-certbot-nginx3、生成 ca证书
# 1、执行生成命令sudo certbot --nginx# 2、呈现如下信息Which names would you like to activate HTTPS for?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: www.example.com# 3、输出 1 ,回车# 4、呈现如下信息Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.# 5、输出 2 ,回车# 6、呈现上面语句,示意生成胜利IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.example.com/privkey.pem Your cert will expire on 2019-02-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le4、拜访https
当初即可应用 https://www.example.com 来拜访网站了。
5、证书过期问题
ca证书的应用期限是90天,能够通过上面命令主动续签更新,永不过期。
sudo certbot renew --dry-run三、参考文档
- 让你的网站从http收费降级为https!