设置让我们为Express加密

If you run a Node.js application on your own VPS, you’ll need a solution for obtaining SSL certificates.

如果您在自己的VPS上运行Node.js应用程序，则需要一种用于获取SSL证书的解决方案。

Today, the standard for doing this is to use Let’s Encrypt and Certbot, a tool from EFF, aka Electronic Frontier Foundation, the leading nonprofit organization focused on privacy, free speech, and in-general civil liberties in the digital world.

今天，执行此操作的标准是使用EFF (又名电子前沿基金会)的工具Let's Encrypt和Certbot ， EFF是致力于数字世界中隐私，言论自由和一般公民自由的领先非营利组织。

These are the steps we’ll follow:

这些是我们将要执行的步骤：

• Install Certbot

  安装Certbot

• Generate the SSL certificate using Certbot

  使用Certbot生成SSL证书

• Allow Express to serve static files

  允许Express提供静态文件

• Confirm the domain

  确认网域

• Obtain the certificate

  取得证书

• Setup the renewal

  设置续订

安装Certbot (Install Certbot)

These instructions assume you are using Ubuntu, Debian or any other Linux distribution that uses apt-get to manage packages:

这些说明假定您正在使用Ubuntu，Debian或使用apt-get管理软件包的任何其他Linux发行版：

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

You can also install Certbot on a Mac, for testing purposes (requires Homebrew):

您也可以在Mac上安装Certbot，以进行测试(需要Homebrew )：

brew install certbot

However, you will need to link that to a real domain name in order for it to be useful.

但是，您需要将其链接到真实域名，以使其有用。

使用Certbot生成SSL证书 (Generate the SSL certificate using Certbot)

Now that Certbot is installed, you can invoke it to generate the certificate. You must run this as root:

现在已经安装了Certbot，您可以调用它来生成证书。 您必须以root身份运行：

certbot certonly --manual

…or call sudo from a non-root user:

…或从非root用户调用sudo：

sudo certbot certonly --manual

This is the process in detail:

这是详细的过程：

The installer will ask you to provide the domain of your website.

安装程序将要求您提供网站的域名。

…it then asks for your email:

…然后询问您的电子邮件：

➜ sudo certbot certonly --manual
Password: XXXXXXXXXXXXXXXXXX
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): flavio@flaviocopes.com

…and to accept the ToS:

……并接受服务条款：

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: A

…and for permission to share your email address:

…并允许共享您的电子邮件地址：

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

…finally, we can enter the domain where we want to use the SSL certificate:

…最后，我们可以输入要使用SSL证书的域：

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): copesflavio.com

…the installer asks if it’s ok to log your IP address:

…安装程序询问是否可以记录您的IP地址：

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for copesflavio.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

…and finally we get to the verification phase!

…最后我们进入验证阶段！

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E.1DzOo_voCOsrpddP_2kpoek2opeko2pke-UAPb21sW1c

And make it available on your web server at this URL:

http://copesflavio.com/.well-known/acme-challenge/TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E

Now, let’s leave Certbot alone for a couple of minutes.

现在，让我们离开Certbot几分钟。

We need to verify we own the domain, by creating a file named TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E in the .well-known/acme-challenge/ folder. Pay attention! The weird string I just pasted will change every single time you go through this process.

我们需要通过在TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E .well-known/acme-challenge/文件夹中创建一个名为TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E的文件来验证我们是否拥有该域。 请注意！ 每当您执行此过程时，我刚刚粘贴的奇怪字符串都会更改。

You’ll need to create the folder and the file, since they do not exist by default.

您需要创建文件夹和文件，因为默认情况下它们不存在。

In this file you need to put the content that Certbot printed:

在此文件中，您需要放入Certbot打印的内容：

TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E.1DzOo_voCOsrpddP_2kpoek2opeko2pke-UAPb21sW1c

As for the filename - this string is unique each time you run Certbot.

至于文件名-每次运行Certbot时，此字符串都是唯一的。

允许Express提供静态文件 (Allow Express to serve static files)

In order to serve that file from Express, you need to enable serving static files. You can create a static folder, and add there the .well-known subfolder, then configure Express like this:

为了从Express提供该文件，您需要启用提供静态文件。 您可以创建一个static文件夹，并在其中添加.well-known子文件夹，然后按以下方式配置Express：

const express = require('express')
const app = express()

//...

app.use(express.static(__dirname + '/static', { dotfiles: 'allow' }))

//...

The dotfiles option is mandatory otherwise .well-known, which is a dotfile (as it starts with a dot), won’t be made visible. This is a security measure, because dotfiles can contain sensitive information and they are better-off preserved by default.

dotfiles选项是强制性的，否则.well-known是一个点文件(因为它以点开头)，因此不会显示。 这是一种安全措施，因为点文件可以包含敏感信息，并且默认情况下保留更好。

确认网域 (Confirm the domain)

Now run the application and make sure the file is reachable from the public internet. Go back to Certbot, which is still running, and press ENTER to go on with the script.

现在运行该应用程序，并确保可以从公共Internet访问该文件。 返回仍在运行的Certbot，然后按Enter键继续执行脚本。

取得证书 (Obtain the certificate)

That’s it! If all went well, Certbot created the certificate and the private key, and made them available in a folder on your computer (and it will tell you which folder, of course).

而已！ 如果一切顺利，Certbot会创建证书和私钥，并在您计算机上的文件夹中提供它们(当然，它会告诉您哪个文件夹)。

Now, simply copy/paste the paths into your application to start using them to serve your requests:

现在，只需将路径复制/粘贴到您的应用程序中，即可开始使用它们来满足您的请求：

const fs = require('fs')
const https = require('https')
const app = express()

app.get('/', (req, res) => {
  res.send('Hello HTTPS!')
})

https
  .createServer(
    {
      key: fs.readFileSync('/etc/letsencrypt/path/to/key.pem'),
      cert: fs.readFileSync('/etc/letsencrypt/path/to/cert.pem'),
      ca: fs.readFileSync('/etc/letsencrypt/path/to/chain.pem'),
    },
    app
  )
  .listen(443, () => {
    console.log('Listening...')
  })

Note that I made this server listen on port 443, so it needs to be run with root permissions.

请注意，我使该服务器在端口443上进行侦听，因此需要使用root权限运行它。

Also, the server is exclusively running in HTTPS, because I used https.createServer(). You can also deploy an HTTP server alongside this, by running:

另外，该服务器仅在HTTPS中运行，因为我使用了https.createServer() 。 您还可以通过运行以下命令来部署HTTP服务器：

http.createServer(app).listen(80, () => {
  console.log('Listening...')
})

https
  .createServer(
    {
      key: fs.readFileSync('/etc/letsencrypt/path/to/key.pem'),
      cert: fs.readFileSync('/etc/letsencrypt/path/to/cert.pem'),
      ca: fs.readFileSync('/etc/letsencrypt/path/to/chain.pem'),
    },
    app
  )
  .listen(443, () => {
    console.log('Listening...')
  })

设置续订 (Setup the renewal)

The SSL certificate is only going to be valid for 90 days, so you need to set up an automated system for renewing it.

SSL证书的有效期仅为90天，因此您需要设置一个自动系统来续订它。

How? Using a cron job.

怎么样？ 使用cron作业。

A cron job is a way to run tasks at a specified interval of time. It can be every week, every minute, every month, and so on.

cron作业是一种在指定时间间隔内运行任务的方法。 可以是每周，每分钟，每个月等等。

In our case, we’ll run the renewal script twice per day, as recommended in the Certbot documentation.

在本例中，我们将按照Certbot文档中的建议每天运行两次更新脚本。

First, find out the absolute path of certbot on your system. I use type certbot on macOS to get it, and in my case it’s in /usr/local/bin/certbot.

首先，找出您系统上certbot的绝对路径。 我在macOS上使用type certbot来获取它，就我而言，它在/usr/local/bin/certbot 。

Here’s the script we need to run:

这是我们需要运行的脚本：

certbot renew

certbot renew

This is the cron job entry:

这是cron作业条目：

0 */12 * * * root /usr/local/bin/certbot renew >/dev/null 2>&1

The above says ‘run it every 12 hours, every day: at 00:00 and at 12:00’.

上面写着“每天每12小时运行一次：分别在00:00和12:00”。

Tip: I generated this line using https://crontab-generator.org/

提示：我使用https://crontab-generator.org/生成了这一行

Add your newly-created script to the system’s crontab using this command:

使用以下命令将新创建的脚本添加到系统的crontab中：

env EDITOR=pico crontab -e

This opens the pico editor (feel free to substitute with whichever editor you prefer). Simply enter the new script, save, and the cron job is installed.

这将打开pico编辑器(可以用您喜欢的任何编辑器替换)。 只需输入新脚本，保存，便安装了cron作业。

Once this is done, you can see the list of active cron jobs by running:

完成此操作后，您可以通过运行以下命令查看活动的cron作业列表：

crontab -l

翻译自: https://flaviocopes.com/express-letsencrypt-ssl/