Recently, I migrated my homepage (http://www.whezh.com) and blog (http://blog.whezh.com) to HTTPS. This article records the whole process of my migration, including the application of SSL certificate and the corresponding configuration of Nginx. The HTTPS certificate uses the free certificate provided by Let’s Encrypt. Thankfully, earlier today, Let’s Encrypt enabled applications for generic domain certificates, saving you some trouble.

Install the certificate

Let’s Encrypt shows you how to install a certificate, basically SSH it to a server, and then install ACME Client (which automatically issues the certificate for you), and lists the ACME clients that are available. Let’s Encrypt recommends using Certbot.

At the beginning, I used Certbot-Auto and successfully installed the certificate. However, I encountered some problems when setting automatic renewal, which made me give up certbot-Auto and use Acme. sh instead, and finally completed the migration. I will first introduce the experience of using Acme. sh, and then I will briefly explain the process of using Certbot-Auto and the problems encountered.

The use of acme. Sh

Acme.sh is well documented and easy to install and use, requiring only a few commands. It supports many platforms. My server is Ubuntu.

The installation

Acme. sh supports two installation modes: online installation and Git installation. I used the online installation mode, which is to execute the following command:

$ curl https://get.acme.sh | sh
Copy the code

Install socat apt-get install socat

The installation process goes through three steps:

  1. Install acme.sh to~ /. Acme. Sh /Directory.
  2. Create an alias:alias acme.sh=~/.acme.sh/acme.sh.
  3. Create a scheduled task that checks and automatically updates the certificate at 0:00 every day.

Step 2 can be performed manually if acme.sh is not found, which is what I did.

Generate a certificate

Acme. Sh implements all the authentication protocols supported by ACme. There are generally two methods of authentication: HTTP authentication and DNS authentication, both of which are used to prove domain name ownership, just like baidu and Google’s site statistics services.

In HTTP mode, you need to specify the domain name and the root directory of the website where the domain name resides when issuing the certificate. Acme. sh will automatically generate the verification file and put it in the root directory of the website. After the verification is complete, the verification file will be deleted without any side effects. If you are using Apache or Nginx, acme.sh can also read configuration files intelligently for automatic validation, and only need to specify the corresponding mode, without changing any configuration.

I used DNS authentication, and acme.sh provides two modes, one manual and the other automatic. In manual mode, we need to manually execute commands and set DNS resolution, while in automatic mode, DNS service providers need to provide API. Acme.

Because I am using Ali Cloud server, according to the documentation, environment variables need to be set first:

$ export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
$ export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"
Copy the code

The Ali_key and Ali_Secret files are saved to ~/.acme.sh/account.conf for future use.

After setting the environment variables, execute the following command to complete the certificate issuance:

$ acme.sh --issue --dns dns_ali -d *.whezh.com
Copy the code

After the certificate is issued, the certificate is successfully generated as shown in the following figure.

By default, the certificate is installed under ~/.acme.sh/

, but we cannot use the certificate directly in this directory, the files in this directory are for internal use, and the directory structure may change. The correct approach is to use the installcert command to install the certificate to the specified directory.

$ acme.sh --installcert -d *.whezh.com --key-file /etc/letsencrypt/whezh.com/whezh.com.key --fullchain-file /etc/letsencrypt/whezh.com/fullchain.cer --reloadcmd "Service nginx restart"Copy the code

Cer instead of

. Cer is used in Nginx ssl_certificate configuration, otherwise SSL Labs will report Chain issues Incomplete error. The reloadcmd parameter specifies the overloaded command to execute after the certificate is automatically updated. All parameters specified here are automatically logged and will be automatically invoked again in the future when the certificate is automatically updated.

At this point, the certificate installation is complete, and you just need to configure the server.

Use certbot – auto

Download and install Certbot-Auto

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
Copy the code

Certificate issued by

$ sudo ./certbot-auto certonly -d *.whezh.com --manual --preferred-challenges dns  --server https://acme-v02.api.letsencrypt.org/directory
Copy the code

After the above command is specified, a prompt is displayed to add TXT parsing records.

We need to log in the domain name DNS service provider website, add a TXT resolution record on the web page. After the configuration is complete, run the nslookup -type=TXT _acme-challenge.whezh.com command to check whether the configuration is successful.

After the authentication is successful, press Enter to apply for the certificate.

At first, after successfully applying for a certificate, Nginx was configured to work properly. However, when I wanted to set the automatic certificate renewal, the execution of certbot-auto Renew command prompted an error. I roughly realized that the mode was incorrect and something was missing, but I did not want to do too much, so I gave up decisively.

Nginx configuration

Once the certificate implementation is complete, it is time to configure the server. Note that I set the blog url to the secondary domain blog.whezh.com and use www.whezh.com for my home page. I need to redirect the default whezh.com to www.whezh.com and force all pages to use HTTPS.

Personal homepage configuration:

# www.whezh.com.conf
server {
    listen 80;

    server_name whezh.com www.whezh.com;

    return 301 https://www.whezh.com$request_uri;
}

server {
    listen 443;

    server_name whezh.com;

    return 301 https://www.whezh.com$request_uri; } server { listen 443; server_name www.whezh.com; ssl on; ssl_certificate /etc/letsencrypt/whezh.com/fullchain.cer; ssl_certificate_key /etc/letsencrypt/whezh.com/whezh.com.key; location / { root /home/hezhou/www/home; index index.html; }}Copy the code

Blog Configuration:

# blog.whezh.com.conf
server {
    listen 80;

    server_name blog.whezh.com;

    return 301 https://blog.whezh.com$request_uri;
}

server {
    listen 443;

    server_name blog.whezh.com;
    root /var/www/ghost/system/nginx-root;

    ssl on;
    ssl_certificate /etc/letsencrypt/whezh.com/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/whezh.com/whezh.com.key;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;       
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}
Copy the code