Use the Certbot tool to configure the Let’s Encrypt wildcard certificate. All subdomain names under the domain name can easily use HTTPS certificates, and it is free. Note that Let’s encrypt wildcard certificates are for secondary domain names, but not for primary domain names. For example, *. Hubinqiang.com and hubinqiang.com are considered two domain names.

Configure the environment

Operating system: CentOS7

Configuration domain name: hubinqiang.com, *.hubinqiang.com

steps

1. Obtain Certbot

# # download wget https://dl.eff.org/certbot-auto as executable permissions chmod u + x certbot - autoCopy the code

2. Apply for a certificate

perform

./certbot-auto certonly  -d "*.9wuquan.com" -d "9wuquan.com" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

./certbot-auto certonly  -d "*.lww123.com" -d "lww123.com" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory
Copy the code

Parameter Description:

  • -certonly, indicates installation mode. Certbot has two types of plug-ins: installation mode and verification mode.
  • -manualCertbot has many plug-ins. Different plug-ins can apply for certificates. Users can choose according to their needs.
  • -dApply for a certificate for the host. If the certificate is a wildcard, enter *. Hubinqiang.com (use your own domain name instead).
  • -preferred-challengesTo verify domain name ownership in DNS mode.
  • -server, Let’s Encrypt ACME V2 uses a different server than V1 and needs to be displayed as specified.

Note: replace hubinqiang.com with your domain name. Multiple hosts can be added using multiple -d parameters.

The following confirmation is required during the application process:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] ------------------------------------------------------------------------------- Please read the Terms Of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf., You must something in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send  you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: dns-01 challenge for hubinqiang.com dns-01 challenge for hubinqiang.com ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual  mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y -------------------------------------------------------------------------------Copy the code

Add TXT record to domain name DNS resolution

------------------------------------------------------------------------------- Please deploy a DNS TXT record under the  name _acme-challenge.hubinqiang.com with the following value: kC-QHSWO1LdIeyIs7VQ66sTAyioISnfzIJU0bXgo-Z8 Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.hubinqiang.com with the following value: 6XnGyee8W48QfRl61m_18aRs8rfvn4T8kKzQil0IYw4 Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challengesCopy the code

It is displayed that there are two TXT records of my two hosts. Add two TXT records to DNS resolution as required, one of which is as follows: _acme-challenge

Note: If you apply for multiple hosts, you need to add multiple TXT records. For _acme-challenge.hubinqiang.com, do not press Enter until the TXT record takes effect.

The following message will be displayed after confirmation:

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/hubinqiang.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hubinqiang.com/privkey.pem Your cert will expire on 2018-08-12. To obtain a new or tweaked version  of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-leCopy the code
  • 1
  • 2

Can see several files into/etc/letsencrypt/live/hubinqiang.com/, cert. Pem, chain. The pem, fullchain. Pem, privkey. Pem, has successfully obtain certificates and keys.

3. Configure the certificate

Fragments configured in nginx:

server {

    server_name hubinqiang.com;

    listen 443 http2 ssl;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/hubinqiang.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/hubinqiang.com/privkey.pem;

    ssl_trusted_certificate  /etc/letsencrypt/live/hubinqiang.com/chain.pem;
Copy the code
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

Restart nginx to see the effect.

  1. The certificate update

The default validity period of the free certificate for Let’s Encrypt is 90 days. To renew the certificate after expiration, you can run the following command:

1. Obtain the Certbot. 2

Repeat these two steps to update the certificate

Or update all certificates:

./certbot-auto

CentOS7Apache install Let’s Encrypt

1. Upgrade the system

  1. # yum -y update

Configure Let’s Encrypt under Apache

Execute the next command

  1. # ./certbot-auto –apache

Follow the prompts

Which names would you like to activate HTTPS for?

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

1: www.9wuquan.cn

2: www.lww123.cn

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter ‘c’ to cancel): 1

Enter 1

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

1: No redirect – Make no further changes to the webserver configuration.

2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you’re confident your site works on HTTPS. You can undo this

change by editing your web server’s configuration.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

Enter 2

Firewall iptables port 443

Edit ssl.conf

vi /etc/httpd/conf.d/ssl.conf

<VirtualHost *:80> DocumentRoot /var/www/jqbs ServerName 9wuquan.cn ServerAlias *.9wuquan.cn <Directory /> Options FollowSymLinks AllowOverride All </Directory> </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www/jqbs ServerName 9wuquan.cn ServerAlias *.9wuquan.cn SSLEngine on SSLProtocol TLSv1 TLSv1.1 TLSv1.2 SSLCipherSuite HIGH:MEDIUM:! aNULL:! MD5 <Directory /> Options FollowSymLinks ExecCGI AllowOverride All Order allow,deny Allow from all Require all granted </Directory> SSLCertificateFile /etc/letsencrypt/live/9wuquan.cn/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/9wuquan.cn/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/9wuquan.cn/chain.pem </VirtualHost>Copy the code

/ etc/HTTPD/conf/HTTPD. Conf configuration file changes mainly include the following items:

Yum -y install mod_ssl (mod_ssl.so)

LoadModule ssl_module modules/mod_ssl.so

LoadModule rewrite_module modules/mod_rewrite.so
Copy the code
  1. ServerSignature On => ServerSignature Off // The Apache version is not displayed On the configuration error page

  2. Options Indexes FollowSymLinks => Options FollowSymLinks // Configure Apache cannot access files through the directory level

    <Directory “/var/www”>

    AllowOverride All
    Copy the code
  3. AllowOverride None => AllowOverride All // Configure allow.htaccess

  4. DirectoryIndex index.html => DirectoryIndex index.html index.php // Configure Apache to support.php file parsing

Restart the Apache

systemctl restart httpd

At this point, the website HTTPS is already accessible, try it

Finally, a 301 turn is made via.htaccess

<IfModule mod_rewrite.c> Options +FollowSymlinks -Multiviews RewriteEngine On RewriteCond %{HTTPS} ! =on RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [L,R=302] RewriteCond %{REQUEST_FILENAME} ! -d RewriteCond %{REQUEST_FILENAME} ! -f RewriteRule ^(.*)$ index.php? / $1 [QSA, PT, L] < IfModule > # pictures and Flash content Cache a month < FilesMatch. "(FLV | | GIF JPG | jpeg | PNG | ico | SWF) $" > Header set cache-control "max-age=2592000" </FilesMatch> <FilesMatch ".(ttf)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch>Copy the code
  1. Eight, successful certificate renewal

The default validity period of the free certificate for Let’s Encrypt is 90 days. To renew the certificate after expiration, you can run the following command:

Update all certificates:

./certbot-auto

How do I import a certificate to IIS

Since the certificate we applied for is in PEM format, and IIS only supports PFX certificates, we need to merge the input pem files into PFX certificates so that we can use the openssl command

openssl pkcs12 -export -out 51tcsd.pfx -inkey privkey.pem -in fullchain.pem -certfile cert.pem

We use this command to merge the pem file into 51tcsd. PFX file. Enter the certificate password as prompted

The output is as follows

We can see that the 51tcsd.pfx file was successfully generated in the current directory

Next we will import the 51tcsd. PFX file into the Windows system

We know Ubuntu is just an application for Windows,

So all files in Ubuntu, we can see through Windows Explorer,

I found my Ubuntu directory mounted in this location in my Windows directory

C:\Users\Administrator\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs

We went into the C: \ Users \ \ Administrator \ AppData \ Local \ Packages \ CanonicalGroupLimited UbuntuonWindows_79rhkp1fndgsc \ LocalState \ rootfs \ etc\letsencrypt\live\51tcsd.com-0001

You can see our PFX file

(1) Import certificates

• Start – > Run – > MMC;

• Start the console program, choose Add/Remove snap-ins > Add from the Menu File, select Certificates from the available standalone Snap-ins list, and select Computer Accounts;

• In the certificate tree list displayed on the left side of the console, choose Personal > Certificates, right-click, choose All Tasks > Import, and import the PFX file as prompted by the Certificate Import Wizard (one important step in this process is to automatically select the storage area based on the certificate content). Enter the password you set during the installation. After the certificate is successfully imported, you can view the certificate information.

(2) Assign the server certificate

• Open the IIS8.0 Manager panel, locate the site where the certificate is to be deployed, and click Bind.

, set the parameter selection “binding” – > “add” – > “type selection HTTPS” – > “port 443” – > “SSL certificate” the imported certificate name 】 【 – > “ok”.

The default SSL port is 443. If you use another port such as :8443, you must enter www.domain.com:8443). %E3%80%82/)

The next. We right-click the certificate point to install PFX

Enter the password you just entered during the OpenSSL merge

After the point is done. The import is successful

The next. Let’s open the IIS Manager. See inside the server certificate, you can find the wildcard certificate we applied for

Next, we bind a site to a random secondary domain name, such as a.51tcsd.com. First, we resolve a.51tcsd.com to my host 127.0.0.1

And then in IIS select the Site” Default Web Site” and select “Bind” on the right

Enter the relevant information and select the certificate

Then we access it in the browsera.51tcsd.com/

Did you get a surprise

Turn the HTTP HTTPS

The cross-use of HTTP and HTTPS belongs to the category of cross-domain. Direct transfer can solve cross-domain problems:

You can add this code to the corresponding page to automatically upgrade an insecure HTTP request to HTTPS

IIS http转HTTPS

Add to the web.cofg file

<system.webServer>

</system.webServer>

Buy me a cup of coffee 🙂