去年寫過網站開始支持HTTPS和利用observatory.mozilla.org提高本站安全性,
當時使用的是有效期為一年的StartCom的免費證書。
本月底它就要失效了,所以試著安裝一下最近比較流行的Let's Encrypt電子證書。
首先在Mac上執行這些命令來安裝certbot。
$ brew update
$ brew install certbot
$ brew ls certbot
/usr/local/Cellar/certbot/0.9.3_1/bin/certbot
/usr/local/Cellar/certbot/0.9.3_1/bin/letsencrypt
/usr/local/Cellar/certbot/0.9.3_1/libexec/bin/ (18 files)
/usr/local/Cellar/certbot/0.9.3_1/libexec/lib/ (1946 files)
/usr/local/Cellar/certbot/0.9.3_1/libexec/ (2 files)
/usr/local/Cellar/certbot/0.9.3_1/share/certbot/ (7 files)
然後在Mac執行
$ certbot --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log certonly --manual
輸入email, domain,
按照指示在伺服器上作出.well-known/acme-challenge/下的認證文件,並按回車,
支 持 本 站: 捐贈伺服器等運維費用,需要您的支持!
看起來取得證書成功,並得到以下顯示:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/Users/laoyanhunhua/letsencrypt/etc/live/yinlei.org/fullchain.pem. Your
cert will expire on 2017-04-08. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- Your account credentials have been saved in your Certbot
configuration directory at /Users/laoyanhunhua/letsencrypt/etc. You
should make a secure backup of this folder now. This configuration
directory will also contain certificates and private keys obtained
by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
可以看到本地etc/live/yinlei.org/下面生成4個文件:
cert.pem chain.pem fullchain.pem privkey.pem
然後按先後順序把密匙文件privkey.pem,網站證書cert.pem和中間證書chain.pem這幾個文件放到web伺服器上就可以了。
(ドメイン設定→SSL証明書更新→秘密鍵をアップロードする→証明書のインストール→中間証明書のインストール )
Let's Encrypt的缺點是有效期只有3個月,實在太短了。。
參考資料
Let's Encrypt の使い方
Windows ユーザーの HTTPS化 - さくらのレンタルサーバ + Let's Encrypt + WordPress マルチサイト
let's encrypt で複數ホスト名対応な証明書を作る
後來又把網站做了些優化,
包括把3個CSS文件合併成一個,
調用javascript時使用異步方式(加入async參數),
感覺網頁的顯示速度有了些提高。
在谷歌的testmysite.thinkwithgoogle.com和PageSpeed Insights工具上測試了一下,結果確實有了改善。
留言簿