The premise

In order to speed up personal blogs, all static resources are put into the object storage on the cloud, and CDN is added, which costs a lot of RMB. The new domain name application has also been approved, but SSL certificates generally need to be paid annually. Look at the cheapest generic domain name certificate on “Goosecloud”.

After all, at least once a year, the amount is not small (4 yuan a day), I feel a little pressure on my wallet. So through a variety of search methods, found a feasible white PIAO generic domain SSL certificate scheme, and applied to the registered personal blog domain name. The final subdomain can be accessed through HTTPS, as shown in the image below left:

Then off the grid!

This article is only applicable to the domain name that is put on record and resolved on Goose Cloud. HTTPS has been successfully applied to the CDN of Goose Cloud. Other cloud manufacturers have not conducted experiments.

Install the ACME

At present, the most widely used free SSL certificate is Let’s Encrypt. From 2018-03, Let’s Encrypt has officially released a free SSL generic domain name certificate, which can be obtained quickly through DNS. In China, you can automatically issue the Let’s Encrypt generic domain name certificate using the DNSPod domain name API of Goosecloud or the Maowun domain name API. Because goose cloud is using DNSPod domain name, and goose cloud and DNSPod account is through, you can use WX directly scan code login. To simplify the certificate application process, install acme. Sh in advance. Acme. Sh implements the ACME protocol, generates a free certificate from Let’s Encrypt, automatically creates a CRon task, and automatically detects all certificates at 00:00 every day. If a certificate is about to expire and needs to be updated, acme. All changes are limited to the installation directory.

Start with dependency downloads and updates. If the server is a CentOS, run the following command:

yum update && yum install curl -y && yum install cron -y && yum install socat -y

Copy the code

If the server is running Debian/Ubuntu, use the following command:

apt-get update && apt-get install curl -y && apt-get install cron -y && apt-get install socat -y

Copy the code

Then use the following command to install acme.sh:

curl https://get.acme.sh | sh

Copy the code

If the console outputs:

.

Good, bash is found, so change the shebang to use....

OK

Install success!

Copy the code

Acme. Sh is successfully installed.

Register and configure the key for DNSPod

If you use the service of Goose Cloud, you can directly wX scan code to log in DNSPod, otherwise you need to register binding. After login, click “Key Management” in the account center:

Then name and create a key:

Remember to keep the ID and Token of the secret key; these two configurations are required for the next steps.

To apply for the certificate

After obtaining the ID and Token, add these two values to the environment variable of the server and run the following command:

Export DP_Id=' your ID'

Export DP_Key=' your Token'

Copy the code

Such as:

export DP_Id='123456'

export DP_Key='xxxyyyzzz'

Copy the code

Then use acme. Sh to apply for a certificate and run the following command:

~/.acme.sh/acme.sh --issue --dns dns_dp -d throwable.club -d *.throwable.club

Copy the code

Throwable. Club is my domain name. If you need to issue an SSL certificate for your own domain name, replace it with your domain name. Then wait for the acme. Sh script to be executed. If no other accidents occur during the execution, the following console logs are generated after the certificate application is successful:

Certificate file will be automatically stored in/root /. Acme. Sh/domain directory, such as/root /. Acme. Sh/throwable. Club directory. View/root /. Acme. Sh/throwable. The content of the club directory:

Cer is the contents of the certificate file, and throwable.club.key is the private key of the certificate. Then in the Cloud CDN HTTPS configuration specified the following certificate configuration can be:

After the submission, the CDN will be redeployed and will take effect a few minutes later. One final note:

  • Application down the generic domain nameSSLThe free certificate is only valid for three months, butacme.shThe validity of the certificate will be automatically checked and renewed at midnight every night.
  • Currently on the goose cloudCDNIf you useLet 's EncryptThe certificate does not support automatic renewal for the time being. It needs to be renewed manually, that is, every three months/ root /. Acme. Sh/domain nameIn the directoryfullchain.cerandThe domain name. The keyUpdate the content toCDNCommit to refresh the configuration.

summary

Just enjoy yourself.

References:

  • https://github.com/acmesh-official/acme.sh
  • Information on the Internet

(C-1-D E-A-20200814)