安装Let's Encrypt电子证书

去年写过网站开始支持HTTPS利用observatory.mozilla.org提高本站安全性
当时使用的是有效期为一年的StartCom的免费证书。
本月底它就要失效了,所以试着安装一下最近比较流行的Let's Encrypt电子证书。

首先在Mac上执行这些命令来安装certbot。
$ brew update
$ brew install certbot
$ brew ls certbot
/usr/local/Cellar/certbot/0.9.3_1/bin/certbot
/usr/local/Cellar/certbot/0.9.3_1/bin/letsencrypt
/usr/local/Cellar/certbot/0.9.3_1/libexec/bin/ (18 files)
/usr/local/Cellar/certbot/0.9.3_1/libexec/lib/ (1946 files)
/usr/local/Cellar/certbot/0.9.3_1/libexec/ (2 files)
/usr/local/Cellar/certbot/0.9.3_1/share/certbot/ (7 files)

然后在Mac执行
$ certbot --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log certonly --manual
输入email, domain,
按照指示在服务器上作出.well-known/acme-challenge/下的认证文件,并按回车,

看起来取得证书成功,并得到以下显示:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/Users/laoyanhunhua/letsencrypt/etc/live/yinlei.org/fullchain.pem. Your
cert will expire on 2017-04-08. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you lose your account credentials, you can recover through
e-mails sent to laoyanhunhua@yinlei.org.
- Your account credentials have been saved in your Certbot
configuration directory at /Users/laoyanhunhua/letsencrypt/etc. You
should make a secure backup of this folder now. This configuration
directory will also contain certificates and private keys obtained
by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


可以看到本地etc/live/yinlei.org/下面生成4个文件:
cert.pem chain.pem fullchain.pem privkey.pem

然后按先后顺序把密匙文件privkey.pem,网站证书cert.pem和中间证书chain.pem这几个文件放到web服务器上就可以了。
(ドメイン設定→SSL証明書更新→秘密鍵をアップロードする→証明書のインストール→中間証明書のインストール )
Let's Encrypt的缺点是有效期只有3个月,实在太短了。。

参考资料
Let's Encrypt の使い方
Windows ユーザーの HTTPS化 - さくらのレンタルサーバ + Let's Encrypt + WordPress マルチサイト
let's encrypt で複数ホスト名対応な証明書を作る

后来又把网站做了些优化,
包括把3个CSS文件合并成一个,
调用javascript时使用异步方式(加入async参数),
感觉网页的显示速度有了些提高。
在谷歌的testmysite.thinkwithgoogle.com和PageSpeed Insights工具上测试了一下,结果确实有了改善。


更新Let's Encrypt电子证书的方法