Hexo升级HTTPS

本文主要介绍如何设置Hexo支持https访问以及遇到的相关问题说明。

准备工作

DNSPOD中添加VPS IP的解析:

1
@ A 默认 VPSIP

然后暂停其中的GitHub的IP地址的解析。

获取免费证书

为了鼓励https的普及,EFF成立了免费证书最大的提供商为Let’s Encrypt,可以提供免费证书。那么小型的网站,就可以使用免费证书升级为https啦。

当然Let’s Encrypt生成的证书,只能是单域名的,而且只有最低级的域名验证。

克隆letsencrypt客户端

1
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

如果遇到权限问题,记得先创建/opt/letsencrypt文件夹再更改文件夹权限为可写入。

注册证书-Nginx指向静态路径

注册一个域名证书非常简单,使用letsencrypt就能生成https所需的证书。当然,用letsencrypt生成的证书只支持域名验证,只需要用letsenctypt的自动注册证书命令,证明这个域名是自己的是用的即可。

1
2
cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/blog -d tding.top

后续将会让你继续输入邮箱信息。

然后出现了如下错误:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for tding.top
Using the webroot path /var/www/blog for all unmatched domains.
Waiting for verification...
Challenge failed for domain tding.top
http-01 challenge for tding.top
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: tding.top
Type: connection
Detail: Fetching
http://tding.top/.well-known/acme-challenge/-OO3Ftn96u4kKPKKUkyFHxa6ntdZioOfEF-x5_CwKpY:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

这个问题的解决办法:配置nginx,启动nginx,保证能够正常访问nginx,如果跟换了域名,需要将原来https配置都先注释掉,先保证能够通过http正常访问nginx服务

然后再次运行注册证书代码成功:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for tding.top
Using the webroot path /var/www/blog for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/tding.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/tding.top/privkey.pem
Your cert will expire on 2019-11-18. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Nginx配置-指向静态文件

直到这一步,证书已经就绪,只要配置好Nginx即可完美升级https。

Nginx配置各有各的配置方法,这里只要保证四点:

  • 域名配置正确
  • 静态文件目录路径、本地服务目录路径配置正确
  • .well-known/acme-challenge目录配置正确
  • 要保证80默认端口和443ssl端口都有配置

下面是一个Nginx配置例子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
server {
listen 80;
server_name tding.top; # 这里写你的域名
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/blog; # 这里写你的静态文件目录
}
location = /.well-known/acme-challenge/ {
return 404;
}
return 301 https://$server_name$request_uri;
}

server {
# SSL Configuration
listen 443 ssl;
server_name tding.top; # 这里写你的域名
# specify cert files
ssl_certificate /etc/letsencrypt/live/tding.top/fullchain.pem; # 中间写你的域名
ssl_certificate_key /etc/letsencrypt/live/tding.top/privkey.pem; # 中间写你的域名
location / {
root /var/www/blog; # 这里写你的静态文件目录
index index.html index.htm; # 这里写你暴露的静态文件
}
}

自动更新证书

letsencrypt证书最多只有90天,90天之后我们需要重新注册证书,当然这个可以交给服务器自己做啦。

验证自己的证书是否可以更新

1
2
cd /opt/letsencrypt
./letsencrypt-auto renew --dry-run

此命令只是验证,不会更新证书。

如果出现Congratulations!字样或者已经更新字样则证明可以自动更新。如果出现错误,或者说路径找不到的情况,大多数情况是.well-known/acme-challenge目录配置没有正确的配置成功。

编写crontab脚本

1
crontab -e

脚本内容

1
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

如果遇到权限问题,可先创建/var/log目录再设置其权限为可写入。

参考

赞赏一杯咖啡
0%