1. Apply for a certificate
1.1 Currently SSL certificates are applied in Ali Cloud (SSL certificates), because domain names are purchased in Ali Cloud, and there are also some servers.
1.2 Because we combine the certificates of several top-level domain names into one, the minimum requirement for buying a certificate here is at least one single domain name and two or more pan-domain names. For the certificate, choose GeoTrust, which is affordable and can also meet the requirements of APP
1.3 Order one single domain name certificate and two generic domain name certificates and submit them to the shopping cart for payment
1.4 Do not touch the certificate after paying the money. Do not touch the certificate. Go to Ali Cloud to submit work order, merge certificate. Please look at: help.aliyun.com/knowledge_d…
1.5 It will take about half a day to merge. Please note the status of work order at any time
1.6 After merging, go to SSL certificate and you can see that the three certificates originally bought are combined into one, and then click the new certificate to apply for the domain name.
Add two top-level domain names and one second-level domain name that require HTTPS service and apply for them. !!!!!!!!! Make sure you don’t write it wrong because you can’t refund it individually
1.7 In about three to five days, the certificate will be approved. May be a little earlier, this often go to see the SSL certificate
1.8 The above are the partners who need to merge certificates. If you do not need to merge certificates, you only need to place an order for the certificate and then apply for the domain name. Similarly, the domain name will come down after a few days. Then perform the following steps
2. Replace the certificate
2.1 Before replacing certificates, you need to know which domain names have HTTPS, because there are too many domain names to try one by one. Python3 is used to write scripts for batch detection. The scripts are divided into two and will be executed in the same directory. Please install the corresponding modules before execution:
Python3 not compatible with python2:
# certificate detection class
from urllib3.contrib import pyopenssl
from datetime import datetime
import requests
class SSL_Check:
def __init__(self, url):
self.url = url
def get_url_check(self):
try:
res = requests.get('https://' + self.url, timeout=3)
return res.status_code
except requests.exceptions.RequestException:
return 504
@property
def get_str_time(self):
x509 = pyopenssl.OpenSSL.crypto.load_certificate(pyopenssl.OpenSSL.crypto.FILETYPE_PEM,
pyopenssl.ssl.get_server_certificate((self.url, 443)))
return x509.get_notAfter().decode()[0:-1]
@property
def get_ssl_time(self):
ifself.get_url_check() ! = 504: ssl_time = datetime.strptime(self.get_str_time,'%Y%m%d%H%M%S')
day = (ssl_time - datetime.now()).days
if day > 500:
return self.url,self.get_url_check(),day
else:
return self.url,self.get_url_check(),"low500"
else:
return self.url,self.get_url_check(),"not https"Copy the code
Check whether all subdomains under the top-level domain name have HTTPS and expiration days
import json
from aliyunsdkcore.client import AcsClient
from aliyunsdkalidns.request.v20150109.DescribeDomainsRequest import DescribeDomainsRequest
from aliyunsdkalidns.request.v20150109.DescribeDomainRecordsRequest import DescribeDomainRecordsRequest
from utils.ssl_check import SSL_Check
# Please fill in the AccessKey ID and AccessKey Secret of Ali Cloud and the location of the server by yourself
client = AcsClient(' '.' '.' ')
request = DescribeDomainsRequest()
request.set_accept_format('json')
response = client.do_action_with_exception(request)
datas = json.loads(response)
for i in datas['Domains'] ['Domain'] :print('-- -- -- -- -- -- -- -- -- -- - :',i['DomainName'])
requestInfo = DescribeDomainRecordsRequest()
requestInfo.set_accept_format('json')
requestInfo.set_DomainName(i['DomainName'])
requestInfo.set_PageSize(500)
responseInfo = client.do_action_with_exception(requestInfo)
datasInfo = json.loads(responseInfo)
for i in datasInfo['DomainRecords'] ['Record'] :if i['RR'] != The '@':
url = i['RR'] + '. ' + i['DomainName']
# print(url)
ssl_check = SSL_Check(url)
print(ssl_check.get_ssl_time)Copy the code
2.2 Communicate with the project team about when to replace the ones that need to be replaced and which ones should be replaced first
2.3 It is confirmed that qiniu and Huawei Cloud should be replaced first. However, the certificate format required by Qiniu and Huawei Cloud needs to be changed. Here is an example of downloading an Nginx certificate in ali Cloud SSL certificate
2.4 After downloading the certificate, unzip the files with pem suffix and open them directly, copy the contents to Qiniu and Huawei Cloud CDN, convert the files with key suffix here, and copy the contents to qiniu and Huawei cloud CDN key boxes. The conversion command is as follows:
openssl rsa -inform PEM -outform pem -in xxxx.. xxxxx.com.key -out new_key.pemCopy the code
2.5 The next step is to replace SLB load balancing. Click the deployment button in the SSL certificate to select load balancing. At this time, the certificate will only be sent to SLB, and then the SLB needs to be replaced manually:
The replacement of Ali Cloud CDN is also like this. First deploy push in the certificate and then update it in the CDN
2.6 Replace the nginx part of the server, just reload the SSL certificate into the nginx configuration file
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/xxxx.com.pem;
ssl_certificate_key /etc/nginx/ssl/xxx.com.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 20m;
ssl_prefer_server_ciphers On;Copy the code
3. Two-way authentication certificate
3.1 If bidirectional authentication is performed on the mobile terminal, you need to test it several times in the test environment. Test both IOS and Android
3.2 Run the following command on the Linux server to generate a CER certificate for the mobile terminal:
openssl x509 -inform pem -in xxxx.com.pem -out iosAndAndroid.cer -outform DERCopy the code
Send the iosandAndroid. cer file to the mobile developer. Then give the test interface domain name. Used to test
3.3 When replacing a mobile Certificate, ensure that it is compatible with the original SSL certificate. It takes time to verify IOS certificates. Therefore, both certificates must take effect. To do this you need to create a new SLB or install a new Nginx to deploy the new certificate. It didn’t move. When the new mobile version is ready. Remove the old certificate, preferably without touching the old certificate
3.4 Creating a new SLB and parsing the domain name to the new SLB, update the nginx configuration file, preferably create a new configuration file, SCP from the original configuration file, change the domain name.
3.5 After the nginx configuration is updated, do not reload and restart, use o&M tools to check whether the configuration of each machine is correct, test and verify before reload
3.6 Prepare service interface addresses and tokens in advance. After the reload configuration file is loaded, call these service interfaces repeatedly to check whether the service is normal
3.7 If elastic scaling is performed, update the image service of elastic scaling, update the elastic configuration, bind the elastic machine to the SLB, and test whether the elastic machine works properly after the update
3.8 Since only the background and other services integrate SLB into the publishing system, it is necessary to update the configuration of the publishing system accordingly to make the new SLB available. This is best done automatically if you have time. It is inevitable that there will be mistakes
3.9 When creating an SLB, pay attention to details. It is best to refer to previous configuration options and compare the differences between virtual service and forwarding configurations. It’s all the same
3.10 Test After the preceding services and interfaces are normal, send the new domain name to team members
3.11 management background two-way authentication, here refers to the level of security requirements higher management background programs, such as user background and so on, need to add a layer of security Settings, this needs to be the background into account + captcha login, add two-way authentication certificate, will be the key to the user import browser to access the background, even know zhang secret won’t be able to ascend into
4. Test and verification
4.1 In each work, it is better to test and verify each progress, so that the business can be normal and stable
4.2 Test verification should be carried out before and after reload to repeatedly test whether the service and interface are normal, so that the business is normal and stable