Let's Encrypt tutorial, free SSL certificate, make your website embrace HTTPS

Others 2022-04-20 18:09:07 views: 0

This article mainly talks about how to upgrade your website from HTTP to HTTPS for free, using a Let's Encrypt certificate. In fact, it is a Let's Encrypt free certificate acquisition tutorial. Why do you want to use HTTPS? Tell a little story.

There used to be a website, and then there was an advertisement, no more

As a blogger, we naturally do not want inexplicable advertisements ( hijacked by operators ) to appear when others are browsing . At this time, the value of HTTPS is reflected. There are many other benefits of HTTPS, but this one alone is enough for me to take the time to upgrade. (Actually the main purpose is to improve the website Biger :)

Introduction to Let's Encrypt

If we want to enable HTTPS, we need to obtain a certificate from a certificate authority (hereinafter referred to as CA), Let's Encrypt is a CA. We can get a free certificate for the website domain name from Let's Encrypt. This article also mainly talks about upgrading websites to HTTPS through Let's Encrypt + Nginx.

Introduction to Certbot

Certbot is a client officially recommended by Let's Encrypt to obtain certificates, which can help us obtain free Let's Encrypt certificates. Certbot is an operating system that supports all Unix kernels. The server system of the personal blog is CentOS 7. This tutorial is also completed on the basis of enabling HTTPS on the personal blog.

Get a free certificate

  1. Install the Certbot client
yum install certbot
  1. Get a certificate
certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

This command will generate a certificate for the two domain names example.com and www.example.com. Using the --webrootmode will /var/www/examplecreate .well-knowna folder in . This folder contains some verification files. certbot will access example.com/.well by visiting -known/acme-challenge to verify that your domain is bound to this server. This command suffices in most cases,

But sometimes some of our services do not have a root directory, such as some microservices, at this time --webrootit will not work. certbot has another mode --standalone, this mode does not need to specify the root directory of the website, it will automatically enable port 443 of the server to verify the ownership of the domain name. We have other services (such as nginx) occupying port 443, we must stop these services first, and then enable them after the certificate is generated.

certbot certonly --standalone -d example.com -d www.example.com

After the certificate is generated, we /etc/letsencrypt/live/can see the folder corresponding to the domain name in the directory, which stores some shortcuts to the certificate.

At this time, our first generated certificate has been completed, and the next step is to configure our web server and enable HTTPS.

Nginx configuration to enable HTTPS

The blog system uses the Nginx server to forward requests. Here is my Nginx configuration.

    server {
        server_name diamondfsd.com www.diamondfsd.com;
        listen 443;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/diamondfsd.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/diamondfsd.com/privkey.pem;

        location / {
           proxy_pass http://127.0.0.1:3999;
           proxy_http_version 1.1;
           proxy_set_header X_FORWARDED_PROTO https;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header Host $host;
        }
    }
    server {
        server_name api.diamondfsd.com;
        listen 443;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/api.diamondfsd.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/api.diamondfsd.com/privkey.pem;

        location / {
           proxy_pass http://127.0.0.1:4999;
           proxy_http_version 1.1;
           proxy_set_header X_FORWARDED_PROTO https;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header Host $host;

        }
    }

The main thing is to listen on the 443port , enable SSL, and configure the SSL certificate path (public key, private key path).
Through these configurations, we have successfully completed the enabling of Https.
Now open my blog https://diamondfsd.com and you can see 安全the .

alt

Automatically renew SSL certificates

After configuring these, our work is not done yet. The certificates provided by Let's Encrypt are only valid for 90 days. We must re-obtain these certificates before the certificates expire. certbot provides us with a very convenient command, that is certbot renew.
Through this command, he will automatically check the certificates in the system and automatically renew these certificates.
We can run this command to test

certbot renew --dry-run

I got this error when running

Attempting to renew cert from /etc/letsencrypt/renewal/api.diamondfsd.com.conf produced an unexpected error: At least one of the required ports is already taken.. Skipping.

alt
This is because my api.diamondfsd.com uses the --standalonemode verifying the domain name, port 443 needs to be enabled. This error means that the port to be enabled is already occupied. At this time, I have nginxto turn it off first to be successful. Sure enough, I service nginx stopran , no error was reported, and all certificates were refreshed successfully.

The certificate expires in 90 days, we just need to perform the renewal operation before it expires. This thing can be directly handed over to the scheduled task to complete. There is a linux system that croncan do this.
I created a new file certbot-auto-renew-cron, this is a cronplan , this content means to perform an update operation at 2:15 am every two months.

15 2 * */2 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

--pre-hookThis parameter indicates what to do before performing the update operation. Because I have a certificate in --standalonemode , I need to stop the nginxservice and release the port occupancy.
--post-hookThis parameter indicates what to do after the update operation is completed, here is the resumption of nginxservice enablement

Finally we use crontabto start this timed task

crontab certbot-auto-renew-cron

At this point, the entire website has been upgraded to HTTPS. To summarize what we need to do

  1. Get a Free Certificate from Let's Encrypt
  2. Configure Nginx to enable HTTPS
  3. Periodically refresh the certificate

Thanks to the Let's Encrypt organization and all of the organization's contributor supporters for providing us with a free security certificate.

Reference: Certbot centosrhel7-nginxReference
: Let's Encrypt getting-startdReference
: Archlinux
cronReference : Nginx configuring-https-servers

my personal blog

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324387095&siteId=291194637
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com