一、前戏
在文章《利用微信小程序和Kubernetes打造简易私有云(一、开篇)》中,本人计划用微信小程序作为K8S私有云的前端。由于之前对微信小程序也不了解,就不得不走一遍流程来学习实践,才发现搭一个微信小程序远没有想象的那么容易啊。
如果你要搭建微信小程序的后端服务,首先,你的服务器必须有个域名,而且域名还必须要备案。另外,小程序和服务器之间是通过https交流,你还得申请SSL证书,如官方文档提到如下:
每个微信小程序需要事先设置一个通讯域名,小程序可以跟指定的域名与进行网络通信。包括普通 HTTPS 请求(request)、上传文件(uploadFile)、下载文件(downloadFile) 和 WebSocket 通信(connectSocket)
小程序必须使用 HTTPS 请求。小程序内会对服务器域名使用的 HTTPS 证书进行校验,如果校验失败,则请求不能成功发起。由于系统限制,不同平台对于证书要求的严格程度不同。为了保证小程序的兼容性,建议开发者按照最高标准进行证书配置,并使用相关工具检查现有证书是否符合要求。
所以,开发小程序我们得先把基础环境搭好,本篇文章主要就是讨论如何给自己的服务器申请SSL证书。当然,你得提前有个服务器,而且有个域名。本人使用的是阿里云ECS。
本文可以算是《利用微信小程序和Kubernetes打造简易私有云》系列的前传,欢迎看官不吝赐教,走你~
二、高潮
简介
了解SSL证书的都知道,绝大部分都是收费的,而且还很贵。之前阿里云有段时间可以申请免费的证书,但现在木有了,只提供收费的,价格也贵的离谱(反正我没钱):
image.png
若仔细挖掘,其实也可发现很多免费的SSL证书申请服务,适合个人开发使用。但我个人不推荐使用国内的免费SSL证书,总感觉不靠谱。这里,我强烈推荐——Let's Encrypt ,大家可以自行谷歌,这是一个很受欢迎并永久免费的SSL项目,而且到期后可以免费续签(有效期90天),非常方便,请戳官网。
安装
本人使用阿里云的CentOS 7亲自尝试安装,发现官方推荐的安装方式不太靠谱,会出现各种python相关的依赖问题。这里,我们直接使用官方另一种安装方式,亲测可行。
1.下载certbot-auto
执行:
user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
这里,我们无需关心Certbot是什么,只需要知道,证书的申请和生成是通过Certbot完成的,而certbot-auto脚本封装了Certbot。
2.申请证书
执行:
./certbot-auto certonly --standalone --email abc@163.com -d ainizhi.xin
如上,certbot-auto命令会自动下载Certbot所需的依赖,并且为ainizhi.xin域名申请并生成证书。请更换--email和 -d后的参数,分别表示自己邮箱和域名。
另外,证书90后就会到期,到时我们只需要使用certbot-auto renew命令免费续签即可(建议配合使用linux的crontab机制),可参考官方文档。
3.证书位置
生成后的证书位置如下:
[root@iz2ze2tzqe1llll9ow0vxoz ~]# ll /etc/letsencrypt/live/ainizhi.xin/
total 4
lrwxrwxrwx 1 root root 35 May 9 09:12 cert.pem -> ../../archive/ainizhi.xin/cert1.pem
lrwxrwxrwx 1 root root 36 May 9 09:12 chain.pem -> ../../archive/ainizhi.xin/chain1.pem
lrwxrwxrwx 1 root root 40 May 9 09:12 fullchain.pem -> ../../archive/ainizhi.xin/fullchain1.pem
lrwxrwxrwx 1 root root 38 May 9 09:12 privkey.pem -> ../../archive/ainizhi.xin/privkey1.pem
-rw-r--r-- 1 root root 682 May 9 09:12 README
这里,我们使用的是fullchain.pem和privkey.pem,前者是证书,后者是私钥。
启用证书
本文使用Nginx来验证我们生成的证书,当然,你得提前安装好Nginx。首先,修改Nginx默认的配置文件,启用https配置:
server {
listen 8060 ssl http2 default_server;
listen [::]:8060 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/ainizhi.xin/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/ainizhi.xin/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 404 /404.html;
location = /40x.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
如上,我们主要修改了如下路径:
ssl_certificate "/etc/letsencrypt/live/ainizhi.xin/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/ainizhi.xin/privkey.pem";
修改后重启nginx即可。另外,可能有读者会问到,为什么不使用默认的443接口——答曰:因为我的域名没有备案 (灬ꈍ ꈍ灬)。
测试
我们使用Chrome或其他浏览器访问地址https://ainizhi.xin,如下图所示,我们可以看到地址栏前面有了可爱的的“锁”图标:
image.png
如上,则表示我们申请的免费SSL证书启用成功,也被各大浏览器厂商认可。
问题
安装Certbot 时很可能会出现如下错误:
...省略...
Creating virtual environment...
Installing Python packages...
Traceback (most recent call last):
File "/tmp/tmp.AT0iiLfl6l/pipstrap.py", line 184, in <module>
exit(main())
File "/tmp/tmp.AT0iiLfl6l/pipstrap.py", line 165, in main
for path, digest in PACKAGES]
File "/tmp/tmp.AT0iiLfl6l/pipstrap.py", line 120, in hashed_download
response = opener(using_https=parsed_url.scheme == 'https').open(url)
File "/usr/lib64/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/usr/lib64/python2.7/urllib2.py", line 1258, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/usr/lib64/python2.7/urllib2.py", line 1214, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [Errno 101] Network is unreachable>
一般是网络问题,重试几次即可。成功时如下所示:
...省略...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ainizhi.xin
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ainizhi.xin/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ainizhi.xin/privkey.pem
Your cert will expire on 2018-08-07\. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF:
睡觉
本文只是简单的介绍了如何通过Let's Encrypt申请免费SSL证书并应用之。本人水平有限,难免有错误或遗漏之处,望大家指正和谅解,欢迎评论留言。
欢迎关注本人微信公众号:
爱你之心.jpg
网友评论
安装证书的时候遇到:Problem binding to port 80: Could not bind to IPv4 or IPv6,
原因是因为Nginx开启占用了端口,关掉以后再安装就可以了
nginx: [error] invalid PID number “” in “/run/nginx.pid”
需要先执行
nginx -c /etc/nginx/nginx.conf
// nginx.conf文件的路径可以从nginx -t的返回中找到。
nginx -s reload