In Web development, HTTPS is the basic security encryption for website content, and in some software that values security, HTTPS is indispensable. The domain name configured in wechat development must use HTTPS, and the connection configured with parse-Dashboard must use HTTPS, etc.
Now it is very convenient to buy certificates from cloud service providers. The only disadvantage is that you need to pay. So is there a free, white whoring certificate?
Letsencrypt, a self-signed certificate authority, is used to issue certificates to your website domain name.
-
Log in to the server
Use SSH to log in to the server of the running web site.
-
Install snapd
Snapd is a great package management tool available in various Linux distributions today.
The installation in this example is based on CentOS 7. If you are using another distribution, please refer to snapd’s installation documentation, Portal, for details.
-
Add a REPL
-
CentOS 8
$ sudo dnf install epel-release $ sudo dnf upgrade Copy the code -
CentOS 7
$ sudo yum install epel-release Copy the code
-
-
Install snapd
-
After configuring the REPL, type the following command to install snapd
$ sudo yum install snapd Copy the code -
After the installation is complete, run the Enable command to enable the Systemd service
$ sudo systemctl enable --now snapd.socket Copy the code -
Link snapd’s file directory to the system’s path
Snapd provides snap commands after the installation is complete. By default, snapd is installed in the /snap directory
$ sudo ln -s /var/lib/snapd/snap /snap Copy the code
-
-
-
View the SNAPd version
Run the following command to install the snapd core library to ensure that the snapd version installed is up to date.
sudo snap install core; sudo snap refresh core Copy the code -
Remove certbot-Auto and other Certbot module packages
Uninstall the installed Certbot module, apt yum DNF and so on using the package management tools of different systems.
sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot Copy the code -
Install Certbot
Certbot is the main tool for generating HTTPS certificates. In previous versions, Certbot was installed using Python, but the installation failed due to inconsistent versions of Python installation packages. Therefore, snap is recommended to install Certbot now.
sudo snap install --classic certbot Copy the code -
Link CertBot to system environment variables
sudo ln -s /snap/bin/certbot /usr/bin/certbot Copy the code -
Use Nginx to generate HTTPS certificates
There are two ways to generate certificates using Nginx:
-
Use Certbot to generate certificates and use certbot to change Nginx configuration files
sudo certbot --nginx Copy the code -
Only certbot is used to generate certificates
sudo certbot certonly --nginx Copy the code
During the certificate generation process, Certbot will prompt you to enter your email address for the next step. You can skip the email verification step by adding –register-unsafely-without-email to the command:
sudo certbot --nginx --certonly --register-unsafely-without-email Copy the codeThen select the domain name in the next step to generate your own HTTPS certificate
-
-
Configure automatic certificate update
Since the certificate provided by Letsencrypt is only valid for 90 days, we need to renew our certificate in a timely manner.
Run the renew command to renew the certificate. Add the –dry-run parameter to simulate the certificate renewal. View the output of the command
sudo certbot renew --dry-run Copy the code -
Run the crontab command to add scheduled renewal
To perform scheduled tasks on Linux, run the crontab command. Add the following configuration to the crontab configuration
Sudo certbot renew > /var/log/certbot.renew.log Copy the codeThe above scripts check whether the certificate expires and renew the certificate at 24:00 and 12:00 every day.
-
Check whether the HTTPS service is enabled correctly
-
In the browser, open the HTTPS domain name and check whether the HTTPS flag is changed
-
On the cli, run the curl command to check whether HTTPS is enabled
Run the following command to view the output of the domain name:
curl -vIL https://zi.pongj.com Copy the codeIn the command output, you can see the configured HTTPS certificate. The signing date of the certificate is Dec 29 07:06:07 2020 GMT and the expiration date is Mar 29 07:06:07 2021 GMT
* About to connect() to zi.pongj.com port 443 (# 0) * Trying 49.235.105.234... * Connected to zi.pongj.com (49.235.105.234) port 443 (# 0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=zi.pongj.com * start date: Dec 29 07:06:07 2020 GMT * expire date: Mar 29 07:06:07 2021 GMT * common name: zi.pongj.com * issuer: CN=R3,O=LetS Encrypt,C=US > HEAD/HTTP/1.1 > user-agent: curl/7.29.0 > Host: zi.pongj.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx/1.18.0 Server: nginx/1.18.0 < Date: Fri, 22 Jan 2021 05:40:37 GMT Date: Fri, 22 Jan 2021 05:40:37 GMT < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < Content-Length: 219958 Content-Length: 219958 < Connection: keep-alive Connection: keep-alive < ETag: "35b36-TbUTbYgQ6yT1OJeOQSyX0F3IN9g" ETag: "35b36-TbUTbYgQ6yT1OJeOQSyX0F3IN9g" < Accept-Ranges: none Accept-Ranges: none < Vary: Accept-Encoding Vary: Accept-Encoding < * Connection #0 to host zi.pongj.com left intactCopy the code
More content
Front-end development to the full stack, the current technical stack is Node.js, Python, daily research C and Rust, diligently eat system development and network design ~
More content please go to GitHub@ruxf, zhihu @ Meng Taibai, nuggets, or follow my public account @ full stack developer, welcome to hijack ~
Never too old to learn, never too old to write
Come on, workers