Let’s Encrypt 将于 2018 年免费提供通配符证书

  • A+
所属分类:业界资讯

旨在让每个网站都启用 HTTPS 加密的 Let's Encrypt CA 宣布将于 2018 年 1 月免费提供通配符证书(Wildcard certificate)。通配符证书是一种可被多个子域使用的公钥证书。这意味着,单个证书可用于提供多台服务器或一台服务器托管的多个子域名的网页加密,显著降低了个人和小型企业采用 HTTPS 的门槛。

Let's Encrypt 表示,它希望通配符证书能帮助 Web 加快实现 100% HTTPS。Let's Encrypt 前不久刚刚宣布签发了一亿个证书。

目前老D后端服务器用的正是Let’s EncryptSSL,服务器设置三个月自动续期。

Let’s Encrypt 将于 2018 年免费提供通配符证书

Let’s Encrypt新闻原文:

Jul 6, 2017 • Josh Aas, ISRG Executive Director

Let’s Encrypt will begin issuing wildcard certificates in January of 2018. Wildcard certificates are a commonly requested feature and we understand that there are some use cases where they make HTTPS deployment easier. Our hope is that offering wildcards will help to accelerate the Web’s progress towards 100% HTTPS.

Let’s Encrypt is currently securing 47 million domains via our fully automated DV certificate issuance and management API. This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Let’s Encrypt’s service became available in December 2015. If you’re excited about wildcard availability and our mission to get to a 100% encrypted Web, we ask that you contribute to our summer fundraising campaign.

A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.

Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via DNS for wildcard certificates, but may explore additional validation options over time. We encourage people to ask any questions they might have about wildcard certificate support on our community forums.

We decided to announce this exciting development during our summer fundraising campaign because we are a nonprofit that exists thanks to the generous support of the community that uses our services. If you’d like to support a more secure and privacy-respecting Web, donate today!

We’d like to thank our community and our sponsors for making everything we’ve done possible. If your company or organization is able to sponsor Let’s Encrypt please email us at sponsor@letsencrypt.org.

老D

发表评论

您必须才能发表评论!

目前评论:13   其中:访客  13   博主  0

    • avatar 三点水 1

      老D为什么油管打不开了?

      • avatar juck 1

        老D 我想问个问题 我使用Let’s Encrypt 的证书
        我的配置是
        server {
        listen 443 ssl;
        server_name icooding.com www.icooding.com;
        ssl on;
        ssl_certificate /home/lets-encrypt/icooding.chained.crt;
        ssl_certificate_key /home/lets-encrypt/icooding.com.key;
        location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8080;
        # root html;
        # index index.html index.htm;

        }

        error_page 404 /404.html;
        location = /40x.html {
        }
        }

        访问 网站的时候访问不了 nginx 里面报错
        2017/07/13 10:56:47 [notice] 8910#0: signal process started
        2017/07/13 10:58:13 [notice] 8916#0: signal process started
        2017/07/13 11:01:18 [notice] 8939#0: signal process started
        2017/07/13 11:29:13 [notice] 9113#0: signal process started

          • avatar 老D 9

            @juck 这个是我的配置文件:

            1. server  
            2.     {  
            3.         listen 80;  
            4.         #listen [::]:80;  
            5.         server_name laod.cn www.laod.cn;  
            6.         return 301 https://laod.cn$request_uri;  
            7.     }  
            8.   
            9. server  
            10.     {  
            11.         listen 443 ssl http2;  
            12.         #listen [::]:443 ssl http2;  
            13.         server_name laod.cn www.laod.cn;  
            14.         index index.html index.htm index.php default.html default.htm default.php;  
            15.         root  /home/wwwroot;  
            16.         ssl on;  
            17.         ssl_certificate /证书路径/laod.cn.pem;  
            18.         ssl_certificate_key /证书路径/laod.cn.pem;  
            19.         ssl_session_timeout 5m;  
            20.         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  
            21.         ssl_prefer_server_ciphers on;  
            22.         ssl_ciphers “EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”;  
            23.         ssl_session_cache builtin:1000 shared:SSL:10m;  
            24.         # openssl dhparam -out /证书路径/laod.cn.pem 2048  
            25.         ssl_dhparam /证书路径/laod.cnpem;  
              • avatar juck 1

                @老D 谢谢 已经解决了 !
                后面 telnet 了一下443端口 发现连不上 才想起443端口没开 。

            • avatar 123 4

              太好了

              • avatar Miquelito 0

                有个问题想要请教。
                如果有一天所有的网站都用上了https加密,是不是只要能够正确解析地址并且ip可以正常访问,我们就不用再科学上网了?以后某【土蔷】是不是就只能通过DNS污染的方式阻挠人们接触真@相了?

                  • avatar 老D 9

                    @Miquelito 你想得太多了

                    • avatar mrluo 0

                      @Miquelito 梯高一尺,墙高一丈

                      • avatar ShiYe 1

                        @Miquelito 我滴天nia,您忒单chenn了。我来回答你的“以后某【土蔷】是不是就只能通过DNS污染的方式阻挠人们接触真@相了?”
                        就算全部SSL,就算全部TLS v1.3,就算全部SHA512 with RSA4096,就算全HSTS,我看您是就一个愤青吧,建议你先了解一下网络工作原理吧,DNS就算解析出了真实的IP,就算IP做了任播,当你指定了https的443端口连接,可是你电脑发出的每一个1和0都是要经过你的宽带商上三大电信的骨干或者城域网的,并且某Q就坐落于那里的每一个IDC,当你的浏览器发出dns query gxxxx.com 时,你的电脑里没有科学上网,udp协议的先天性缺陷会导致你得到一个错误ip,这是第一道。接着你的浏览器会广播路由寻找这个ip,某Q会让你ERR_CONNECTION_TIMED_OUT,让浏览器感觉ip不存在,这是第二道。就算连上了这个ip,HTTPS发出client hello的时候某Q立马给你来个重置,这是大家基本上常见的第三道,可能说是最不好用的第三道,某Q也就弱逼了,因为Hosts指定了ip,第二道和第三道全靠黑名单,所以一下就不好用了,比如谷歌新增服务器,没人连接他,没有Google这个关键字流量,或者包太少没被发觉,所以能裸连几个小时。浏览器根据hosts的ip连接时,这步某Q只能靠黑名单,接着https先握手,成功后,才发送数据,而这时的数据已经被证书加密,某Q看到的数据流只是一堆乱码,而不是get www.google.com http/1.1,所以你能用hosts愉快的上169了,当然流量大了又不在某些名单内的话,某Q就会发现,然后就屏蔽了,接着GitHub项目上又更新了ip。但是不管咋着,谷歌的服务器位于国外,上海等国际带宽出口的Q发现了,就必死了

                      • avatar Radar9 1

                        那么老D用的哪一款

                        • avatar 2Broear 4

                          好东西