In Web development, HTTPS is the basic security encryption for website content, and in some software that values security, HTTPS is indispensable. The domain name configured in wechat development must use HTTPS, and the connection configured with parse-Dashboard must use HTTPS, etc.

Now it is very convenient to buy certificates from cloud service providers. The only disadvantage is that you need to pay. So is there a free, white whoring certificate?

Letsencrypt, a self-signed certificate authority, is used to issue certificates to your website domain name.

  1. Log in to the server

    Use SSH to log in to the server of the running web site.

  2. Install snapd

    Snapd is a great package management tool available in various Linux distributions today.

    The installation in this example is based on CentOS 7. If you are using another distribution, please refer to snapd’s installation documentation, Portal, for details.

    • Add a REPL

      • CentOS 8

        $ sudo dnf install epel-release
        $ sudo dnf upgrade
        Copy the code
      • CentOS 7

        $ sudo yum install epel-release
        Copy the code
    • Install snapd

      • After configuring the REPL, type the following command to install snapd

        $ sudo yum install snapd
        Copy the code
      • After the installation is complete, run the Enable command to enable the Systemd service

        $ sudo systemctl enable --now snapd.socket
        Copy the code
      • Link snapd’s file directory to the system’s path

        Snapd provides snap commands after the installation is complete. By default, snapd is installed in the /snap directory

        $ sudo ln -s /var/lib/snapd/snap /snap
        Copy the code
  3. View the SNAPd version

    Run the following command to install the snapd core library to ensure that the snapd version installed is up to date.

    sudo snap install core; sudo snap refresh core
    Copy the code
  4. Remove certbot-Auto and other Certbot module packages

    Uninstall the installed Certbot module, apt yum DNF and so on using the package management tools of different systems.

    sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot
    Copy the code
  5. Install Certbot

    Certbot is the main tool for generating HTTPS certificates. In previous versions, Certbot was installed using Python, but the installation failed due to inconsistent versions of Python installation packages. Therefore, snap is recommended to install Certbot now.

    sudo snap install --classic certbot
    Copy the code
  6. Link CertBot to system environment variables

    sudo ln -s /snap/bin/certbot /usr/bin/certbot
    Copy the code
  7. Use Nginx to generate HTTPS certificates

    There are two ways to generate certificates using Nginx:

    • Use Certbot to generate certificates and use certbot to change Nginx configuration files

      sudo certbot --nginx
      Copy the code
    • Only certbot is used to generate certificates

      sudo certbot certonly --nginx
      Copy the code

    During the certificate generation process, Certbot will prompt you to enter your email address for the next step. You can skip the email verification step by adding –register-unsafely-without-email to the command:

    sudo certbot --nginx --certonly --register-unsafely-without-email
    Copy the code

    Then select the domain name in the next step to generate your own HTTPS certificate

  8. Configure automatic certificate update

    Since the certificate provided by Letsencrypt is only valid for 90 days, we need to renew our certificate in a timely manner.

    Run the renew command to renew the certificate. Add the –dry-run parameter to simulate the certificate renewal. View the output of the command

    sudo certbot renew --dry-run
    Copy the code
  9. Run the crontab command to add scheduled renewal

    To perform scheduled tasks on Linux, run the crontab command. Add the following configuration to the crontab configuration

    Sudo certbot renew > /var/log/certbot.renew.log
    Copy the code

    The above scripts check whether the certificate expires and renew the certificate at 24:00 and 12:00 every day.

  10. Check whether the HTTPS service is enabled correctly

  • In the browser, open the HTTPS domain name and check whether the HTTPS flag is changed

  • On the cli, run the curl command to check whether HTTPS is enabled

    Run the following command to view the output of the domain name:

    curl -vIL https://zi.pongj.com
    Copy the code

    In the command output, you can see the configured HTTPS certificate. The signing date of the certificate is Dec 29 07:06:07 2020 GMT and the expiration date is Mar 29 07:06:07 2021 GMT

    * About to connect() to zi.pongj.com port 443 (# 0)
    *   Trying 49.235.105.234...
    * Connected to zi.pongj.com (49.235.105.234) port 443 (# 0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    * Server certificate:
    * 	subject: CN=zi.pongj.com
    * 	start date: Dec 29 07:06:07 2020 GMT
    * 	expire date: Mar 29 07:06:07 2021 GMT
    * 	common name: zi.pongj.com
    * 	issuer: CN=R3,O=LetS Encrypt,C=US > HEAD/HTTP/1.1 > user-agent: curl/7.29.0 > Host: zi.pongj.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx/1.18.0 Server: nginx/1.18.0 < Date: Fri, 22 Jan 2021 05:40:37 GMT Date: Fri, 22 Jan 2021 05:40:37 GMT < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < Content-Length: 219958 Content-Length: 219958 < Connection: keep-alive Connection: keep-alive < ETag: "35b36-TbUTbYgQ6yT1OJeOQSyX0F3IN9g" ETag: "35b36-TbUTbYgQ6yT1OJeOQSyX0F3IN9g" < Accept-Ranges: none Accept-Ranges: none < Vary: Accept-Encoding Vary: Accept-Encoding < * Connection #0 to host zi.pongj.com left intactCopy the code

More content

Front-end development to the full stack, the current technical stack is Node.js, Python, daily research C and Rust, diligently eat system development and network design ~

More content please go to GitHub@ruxf, zhihu @ Meng Taibai, nuggets, or follow my public account @ full stack developer, welcome to hijack ~

Never too old to learn, never too old to write

Come on, workers