This article mainly talks about how to upgrade your website from HTTP to HTTPS for free, using a Let's Encrypt certificate. In fact, it is a Let's Encrypt free certificate acquisition tutorial. Why do you want to use HTTPS? Tell a little story.
There used to be a website, and then there was an advertisement, no more
As a blogger, we naturally do not want inexplicable advertisements ( hijacked by operators ) to appear when others are browsing . At this time, the value of HTTPS is reflected. There are many other benefits of HTTPS, but this one alone is enough for me to take the time to upgrade. (Actually the main purpose is to improve the website Biger :)
Introduction to Let's Encrypt
If we want to enable HTTPS, we need to obtain a certificate from a certificate authority (hereinafter referred to as CA), Let's Encrypt is a CA. We can get a free certificate for the website domain name from Let's Encrypt. This article also mainly talks about upgrading websites to HTTPS through Let's Encrypt + Nginx.
Introduction to Certbot
Certbot is a client officially recommended by Let's Encrypt to obtain certificates, which can help us obtain free Let's Encrypt certificates. Certbot is an operating system that supports all Unix kernels. The server system of the personal blog is CentOS 7. This tutorial is also completed on the basis of enabling HTTPS on the personal blog.
Get a free certificate
- Install the Certbot client
yum install certbot
- Get a certificate
certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com
This command will generate a certificate for the two domain names example.com and www.example.com. Using the
--webroot
mode will/var/www/example
create.well-known
a folder in . This folder contains some verification files. certbot will access example.com/.well by visiting -known/acme-challenge to verify that your domain is bound to this server. This command suffices in most cases,
But sometimes some of our services do not have a root directory, such as some microservices, at this time --webroot
it will not work. certbot has another mode --standalone
, this mode does not need to specify the root directory of the website, it will automatically enable port 443 of the server to verify the ownership of the domain name. We have other services (such as nginx) occupying port 443, we must stop these services first, and then enable them after the certificate is generated.
certbot certonly --standalone -d example.com -d www.example.com
After the certificate is generated, we /etc/letsencrypt/live/
can see the folder corresponding to the domain name in the directory, which stores some shortcuts to the certificate.
At this time, our first generated certificate has been completed, and the next step is to configure our web server and enable HTTPS.
Nginx configuration to enable HTTPS
The blog system uses the Nginx server to forward requests. Here is my Nginx configuration.
server {
server_name diamondfsd.com www.diamondfsd.com;
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/diamondfsd.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/diamondfsd.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3999;
proxy_http_version 1.1;
proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
}
server {
server_name api.diamondfsd.com;
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/api.diamondfsd.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.diamondfsd.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:4999;
proxy_http_version 1.1;
proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
}
The main thing is to listen on the 443
port , enable SSL, and configure the SSL certificate path (public key, private key path).
Through these configurations, we have successfully completed the enabling of Https.
Now open my blog https://diamondfsd.com and you can see 安全
the .
Automatically renew SSL certificates
After configuring these, our work is not done yet. The certificates provided by Let's Encrypt are only valid for 90 days. We must re-obtain these certificates before the certificates expire. certbot provides us with a very convenient command, that is certbot renew
.
Through this command, he will automatically check the certificates in the system and automatically renew these certificates.
We can run this command to test
certbot renew --dry-run
I got this error when running
Attempting to renew cert from /etc/letsencrypt/renewal/api.diamondfsd.com.conf produced an unexpected error: At least one of the required ports is already taken.. Skipping.
This is because my api.diamondfsd.com uses the --standalone
mode verifying the domain name, port 443 needs to be enabled. This error means that the port to be enabled is already occupied. At this time, I have nginx
to turn it off first to be successful. Sure enough, I service nginx stop
ran , no error was reported, and all certificates were refreshed successfully.
The certificate expires in 90 days, we just need to perform the renewal operation before it expires. This thing can be directly handed over to the scheduled task to complete. There is a linux system that cron
can do this.
I created a new file certbot-auto-renew-cron
, this is a cron
plan , this content means to perform an update operation at 2:15 am every two months.
15 2 * */2 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
--pre-hook
This parameter indicates what to do before performing the update operation. Because I have a certificate in --standalone
mode , I need to stop the nginx
service and release the port occupancy.
--post-hook
This parameter indicates what to do after the update operation is completed, here is the resumption of nginx
service enablement
Finally we use crontab
to start this timed task
crontab certbot-auto-renew-cron
At this point, the entire website has been upgraded to HTTPS. To summarize what we need to do
- Get a Free Certificate from Let's Encrypt
- Configure Nginx to enable HTTPS
- Periodically refresh the certificate
Thanks to the Let's Encrypt organization and all of the organization's contributor supporters for providing us with a free security certificate.
Reference: Certbot centosrhel7-nginxReference
: Let's Encrypt getting-startdReference
: Archlinux
cronReference : Nginx configuring-https-servers