The body of the
At present, many webmasters will consider upgrading their sites from HTTP to HTTPS, not only for security reasons, but also because of the restrictions of third-party platforms. For example, Google Chrome will mark HTTP sites as unsafe sites, and wechat platform requires wechat small programs to use HTTPS.
So how do you upgrade an HTTP site to an HTTPS site?
Differences between HTTP and HTTPS
To secure data transmission, HTTPS adds SSL to HTTP. SSL relies on certificates to verify the identity of the server and encrypts communication between the browser and the server. To upgrade HTTP to HTTPS, simply add a CA certificate to the HTTP site.
There are two ways to obtain a CA certificate:
- Purchase a CA certificate for a fee
- Get a free certificate
Charging CA certificates are sold by major service providers, such as Ali Cloud, Tencent cloud, etc.
The charged certificate is not cheap, from the official website of Ali Cloud, its price can range from several thousand to tens of thousands of yuan.
This is a big expense for a small company platform, or even a personal site.
Letsencrypt is a free, automated, and open certificate authority. Certificates issued by Letsencrypt are valid for three months at a time, but can be used almost forever as long as they are updated continuously.
Concern public number programmer Xiao Le reply keyword “offer” to obtain algorithm interview questions and answers.
The script acme.sh, which implements the ACME protocol, will help you continuously update CA certificates automatically from Letsencrypt. Download address:
Github.com/Neilpang/ac…
Install the acme. Sh
Installing acme.sh is as simple as a single command:
curl get.acme.sh | sh
It can be installed for both common and root users. The installation process takes the following steps:
Install acme. Sh in your home directory:
~/.acme.sh/
And create a bash alias for you to use: alias acme.sh=~/.acme.sh/acme.sh
2. Create a cronJob for you automatically and check all certificates at 0:00 every day. If the certificate is about to expire and needs to be updated, the system automatically updates the certificate. The installation process does not pollute any existing system functions and files. All changes are restricted to the installation directory: ~/.acme.sh/
Generate a certificate
Acme. sh implements all authentication protocols supported by ACme. Generally, there are two authentication modes: HTTP authentication and DNS authentication.
1, HTTP needs to place a file in your site root directory to verify your domain name ownership, complete the verification, and then you can generate the certificate.
acme.sh –issue -d mydomain.com -d www.mydomain.com –webroot /home/wwwroot/mydomain.com/
Acme.sh will automatically generate the verification file and place it in the root directory of the website, and then automatically complete the verification. Finally, the verification file will be deleted intelligently, the whole process has no side effects.
If you are using an Apache server, acme.sh can also automatically authenticate from the Apache configuration. You do not need to specify the root directory:
acme.sh –issue -d mydomain.com –apache
If you are using an Nginx server, or the other way around, acme.sh can also automatically authenticate from the nginx configuration. You do not need to specify the site root directory:
acme.sh –issue -d mydomain.com –nginx
Note: in either Apache or Nginx mode, acme.sh reverts to its previous state after validation, without changing your own configuration. The advantage is that you don’t have to worry about the configuration being corrupted, but there is also a disadvantage, you need to configure SSL configuration yourself, otherwise, only successful certificate generation, your site will still not be able to access HTTPS. But to be safe, manually change the configuration yourself.
If you are not running any web services and port 80 is idle, acme.sh can also pretend to be a webserver and temporarily listen to port 80 to complete the verification:
acme.sh –issue -d mydomain.com –standalone
2. In DNS mode, add a TXT resolution record to the domain name to verify the domain name ownership.
The advantage of this approach is that you do not need any server, do not need any public IP, only need DNS resolution records to complete the authentication. The downside, however, is that if you don’t configure the Automatic DNS API at the same time, acme.sh will not be able to automatically update the certificate in this way, requiring manual re-parsing to verify domain ownership each time.
acme.sh –issue –dns -d mydomain.com
Then, acme.sh will generate the corresponding parsing record to display, you just need to add the TXT record in your domain management panel.
After parsing is complete, regenerate the certificate:
acme.sh –renew -d mydomain.com
1, Keep up with
The real power of DNS is the ability to automatically add TXT records for validation using an API provided by a domain name resolver.
Concern public number [Terminal RESEARCH and Development Department] reply keyword “Java” to get Java interview questions and answers.
Acme. sh currently supports automatic integration with dozens of parsers including CloudFlare, DNspod, CloudXNS, GoDaddy, and OVH.
Copy/Install the certificate
After the certificate is generated, you need to copy the certificate to the place where you really need it.
Note: The certificates generated by default are stored in the installation directory: ~/.acme.sh/. Do not directly use the files in this directory. For example, don’t make nginx/ Apache configuration files directly use the following files. The files listed here are for internal use and the directory structure may change.
The correct way to use the –installcert command is to specify the destination location, and the certificate file will be copied to the appropriate location, for example:
acme.sh --installcert -d <domain>.com \
--key-file /etc/nginx/ssl/<domain>.key \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd "service nginx force-reload"
Copy the code
A quick reminder: service nginx force-reload is used, not service nginx reload. Test results show that reload does not reload certificates, so force-reload is used.
Nginx configuration ssl_certificate using/etc/Nginx/SSL/fullchain cer, rather than the/etc/Nginx/SSL /. The cer. Otherwise, the SSL Labs test will report an Incomplete Chain Issues error.
The installcert command can take many parameters to specify the target file. You can also specify reloadcmd. When the certificate is updated, reloadcmd will be invoked automatically for the server to take effect.
Note that all parameters specified here will be automatically logged and automatically invoked again in the future when the certificate is automatically updated.
Update the certificate
Currently, certificates are automatically renewed after 60 days without you having to do anything. It’s possible to shorten this time in the future, but it’s automatic and you don’t have to worry about it.
Update the acme. Sh
Currently, acme protocol and Letsencrypt CA are updated frequently, so acme.sh is also updated frequently to maintain synchronization.
Update acme.sh to the latest version:
acme.sh –upgrade
If you don’t want to manually upgrade, you can enable automatic upgrade:
acme.sh –upgrade –auto-upgrade
After that, acme.sh will automatically stay updated.
You can also turn off automatic updates at any time:
acme.sh –upgrade –auto-upgrade 0
What to do if something goes wrong:
If something goes wrong, add debug log:
acme.sh –issue ….. –debug
Or:
acme.sh –issue ….. –debug 2
Finally, this article is not a complete guide to use, there are many advanced features, see other wiki pages for more advanced use.
Address: github.com/Neilpang/acme.sh/wiki
Author: Ape Talk link: urlify.cn/bQZnYz