本站决定使用免费的SSL证书签发商:https://letsencrypt.org/
0 安装 certbot
Certbot ACME client can automate certificate issuance and installation with no downtime. It also has expert modes for people who don’t want autoconfiguration. It’s easy to use, works on many operating systems, and has great documentation.
服务器类型是 Apache/2.4.18 (Ubuntu 16.04 (xenial))
Install
On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages.
$ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-apache
Certbot’s DNS plugins which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server are not available for your OS yet. This should change soon but if you don’t want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.
Get Started
Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates certificate installation.
$ sudo certbot --apache
Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it. If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonlysubcommand:
$ sudo certbot --apache certonly
To learn more about how to use Certbot read our documentation.
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
$ sudo certbot renew --dry-run
More detailed information and options about renewal can be found in the full documentation.
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/anywugn.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/anywugn.com/privkey.pem Your cert will expire on 2018-07-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
1 后续
直接使用了上述方法安装了三个月有效的 SSL 证书,没有重启 Apache 直接访问即生效。但是:
- WP 的主页没有变绿锁,其他页面比如文章页和后台都变绿了。
- 主题的背景图片丢失,重新设置之后解决。
这里大概是有伏笔的,但是以后再说吧。
1.1 来自 Turntide 的建议
推荐用 acme.sh 换 certbot
1. 基于 shell,连 python 都不用(虽然其实没必要)
2. 支持大部分系统的通配符证书,也就是 *.anywugn.com 的,这也就方便多了certbot 我看目前只支持了 Arch Linux 和 CentOS/RHEL 7+