SSL

概述

Triggers

Activate on: SSL certificate, HTTPS setup, Let's Encrypt, certbot, TLS configuration, certificate expired, mixed content, certificate chain error.

Core Tasks

Task	Tool/Method
------	-------------
Get free cert	`certbot`, acme.sh, Caddy (auto)
Check cert status	`openssl s_client -connect host:443`
View cert details	`openssl x509 -in cert.pem -text -noout`
Test config	ssllabs.com/ssltest or `testssl.sh`
Convert formats	See `formats.md`

Quick Cert Commands

# Let's Encrypt with certbot (most common)
certbot certonly --nginx -d example.com -d www.example.com

# Check expiry
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Verify chain is complete
openssl s_client -connect example.com:443 -servername example.com
# Look for "Verify return code: 0 (ok)"

Common Errors

Error	Cause	Fix
-------	-------	-----
`certificate has expired`	Cert past valid date	Renew with certbot renew
`unable to verify` / `self signed`	Missing intermediate cert	Include full chain in config
`hostname mismatch`	Cert doesn't cover this domain	Get cert for correct domain or add SAN
`mixed content`	HTTP resources on HTTPS page	Change all URLs to HTTPS or use `//`
`ERR_CERT_AUTHORITY_INVALID`	Self-signed or untrusted CA	Use Let's Encrypt or install CA cert

For detailed troubleshooting steps, see troubleshooting.md.

Server Config Patterns

Nginx:

server {
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

Apache:

SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/privkey.pem
SSLCertificateChainFile /path/to/chain.pem

For Node.js, Caddy, Traefik, and HAProxy, see servers.md.

Renewal

Let's Encrypt certs expire in 90 days. Always automate:

# Test renewal
certbot renew --dry-run

# Cron (certbot usually adds this)
0 0 * * * certbot renew --quiet

Certificate Types

Type	Use case
------	----------
Single domain	One site (example.com)
Wildcard (*.domain.com)	All subdomains
Multi-domain (SAN)	Multiple different domains on one cert
Self-signed	Local dev only — browsers will warn

What This Doesn't Cover

Application auth (JWT, OAuth) → see oauth skill
SSH keys → see linux or server skills
VPN/tunnel setup → see networking skills
Firewall configuration → see server/infrastructure skills

版本历史

共 1 个版本

v1.0.2 当前

2026-03-29 01:58 安全安全

安全检测

腾讯云安全 (Keen)

安全，无风险

查看报告

腾讯云安全 (Sanbu)