Pre-knowledge:
1. What is HTTPS and what are the advantages/disadvantages with respect to https?
2. What files should I prepare to upgrade https? How do I upgrade?
3.SSL Certificate type? (ev/ov/wildcard Certificate ....)
4. How do I choose an SSL certificate? How do I select a supplier? (recommended A: GoDaddy cheaper, versign/globalsign, etc. are relatively expensive)
5. How do I get a trusted SSL certificate for free?
If the above points are not familiar with the students can first to understand the following, this article mainly explains how to obtain a free trusted SSL certificate 5th. When to take into account the use of free Certificates. For example: you have developed an app that will transmit some sensitive information, such as the name of the user/contact details and so On. Encryption is required to protect the User's data from being Compromised. But for a client that has already been release, we can't ask the client to upgrade, that is, the old client still uses the HTTP protocol and the old client Program. How can you encrypt user data in a transparent manner? Naturally we think of https, well, since you need to deploy HTTPS certificate how to come? You can also self-sign a certificate, but a self-signed certificate will cause an error for an app that has been sent out to be considered an illegal CA. So we have to get a certificate issued by a trusted CA center. According to personal experience there are several ways:
Method One: apply for a free SSL certificate on the Wosign Website. (recently closed, may open in a few Months)
Way Two: to the major suppliers to apply for a trial certificate (to resolve the emergency), the general validity is 7 days or 30 days, RapidSSL is 30 days.
Way Three: or the power of open source is large, use "let's Encrypt" to provide the Certificate.
next, focus on how to use "let's Encrypt" to generate and renewal Certificates. "let's Encrypt" is a non-profit organization (https://letsencrypt.org/), sponsored by major network and internet companies, to provide free certificates. There are akami/cisco/chrom ... We can still use it with Confidence. however, the certificate provided by the agency is valid for only three months and is 90 days, so the certificate needs to be updated after 90.
ok, go to the topic below to show you how to Nginx on Debian 7 to generate the SSL certificate: you need to prepare nginx and
1. Prepare an Nginx server. You can download and install Nginx on your own. When compiling nginx, be careful to add the HTTP SSL module. Specific commands can be consulted:
./configure--prefix=/data/server/nginx/nginx1.7/--with-pcre=/data/server/nginx/source/pcre-8.35/--with-zlib=/ data/server/nginx/source/zlib-1.2.8/--with-http_ssl_module--with-http_realip_module--with-select_module-- With-poll_module--add-module=/data/server/nginx/source/nginx_accept_language_module-master
2. Download and install the client
wget https://dl.eff.org/certbot-autochmod a+x Certbot-auto
3. Ready to rely on packages (preferably using: ubuntu14.04 above)
./certbot-auto
4. Generate a Certificate
4.1. Because most of the scenarios nginx is served as a load balancing function in the front end, the back end is put on the business Services. Certbot need to create the file below the Webroot of the domain name .well-known/acme-challenge
. So if for the present Situation. I made a map to map this path to one of the Nginx Directories.
Location ~/.well-known {access_log Logs/eapa_access.log main; Root html; Index index.html index.htm; }
4.2. generate the certificate and use The./certbot-auto certonly command to generate the Certificate. Parameter description:-w specifies Webroot (that is, the root directory configured in 4.1), and-d specifies the domain name, which can be multiple. -w-d is a paired occurrence, and multiple certificates can be generated at once. Below we generate a certificate for eapa.test.com, the path of the project Is:/data/server/nginx/nginx1.7/html.
./certbot-auto certonly-w/data/server/nginx/nginx1.7/html-d eapa.test.com
After the command is successfully executed, the certificate is placed:/etc/letsencrypt/live/eapa.test.com/below, you can see several files as Follows:
lrwxrwxrwx 1 root root 05:16 cert.pem (certificate file) lrwxrwxrwx 1 root root (05:16 chain.pemlrwxrwxrwx 1 root r) Oot 05:16 fullchain.pemlrwxrwxrwx 1 root root-05:16 privkey.pem (key-free private Key)
4.3 Install the certificate to the Nginx server is very simple, the following paste out the source code
server { listen 443 ssl; server_name eapa.test.com; ssl_certificate /data/server/nginx/nginx1.7/ssl/cert.pem; ssl_certificate_key /data/server/nginx/nginx1.7/ssl/ Privkey.pem; ssl_session_cache shared: ssl:1m; ssl_session_timeout 5m; ssl_ciphers high:!anull:! md5; ssl_prefer_server_ciphers on; location ~ /.well-known { access_log logs/eapa_access.log main; root html; index index.html index.htm; } location ~ / { access_log logs/eapa _access.log main; root html; index Index.html index.htm; proxy_set_ header host $host; proxy_set_header x-real-ip $remote _addr; proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for; proxy_set_header X-Scheme $scheme; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_ timeout 300; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_pass http://eapa; proxy_redirect http:// $scheme://; //(solution: Springmvc redirect after HTTPS becomes Http) }
Visit: https://eapa.test.com can see the success. (note: the domain name is a fake domain Name)
finally, because the certificate is valid for three months, you can manually or write a cron Automatic Update certificate through the following command:
[[email protected] Ssl]$./certbot-auto renewrequesting root privileges to run Certbot .../home/yi_liu/.local/share/lets Encrypt/bin/letsencrypt renewsaving Debug Log to/var/log/letsencrypt/ letsencrypt.log-------------------------------------------------------------------------------processing/etc/ letsencrypt/renewal/ Eapa.tclclouds.com.conf-------------------------------------------------------------------------------Cert not Yet due for renewalthe following certs is not due for renewal yet:/etc/letsencrypt/live/eapa.tclclouds.com/fullchain.pe M (skipped) No renewals were attempted.
Effects such as:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/8A/E7/wKiom1g-ibGgcqqoAACBwwgvA9w469.jpg-wh_500x0-wm_3 -wmp_4-s_3789403242.jpg "title=" qq20161130160855.jpg "alt=" wkiom1g-ibggcqqoaacbwwgva9w469.jpg-wh_50 "/>
Reference documentation:
https://letsencrypt.org/docs/
Https://certbot.eff.org/all-instructions/#centos -6-nginx
Https://certbot.eff.org/docs/using.html#webroot
This article is from the "humble benefit" blog, please be sure to keep this source http://ganludong.blog.51cto.com/801200/1878160
How to upgrade your website from http to https for free