Linux Server plus HTTPS

Source: Internet
Author: User
Tags openssl rsa domain name validation web hosting ssl certificate startssl

Transfer from http://www.jb51.net/article/68679.htm

Now, you should be able to visit https://konklone.com, in the address bar to see a nice little green lock, because I have this site for the HTTPS protocol. A penny without a penny will take care of it.

Why to use the HTTPS protocol:

    • Although SSL is not invulnerable, we should try to increase the cost of eavesdropping
    • Encrypted communication should not be a fluke, all connections should be encrypted
    • Benefits: After using HTTPS, you can get more complete source information (such as hacker News) from Google Analytics if the site's visitors jump from other websites that already use HTTPS.

This article will show you how to build a harmonious, secure Internet by opening the HTTPS protocol on your website. Although the steps are a bit more, each step is simple and smart you should be able to take care of it within 1 hours.


Summary: At the moment you want to use HTTPS on the web, you need to obtain a certificate file that is signed by a company trusted by the browser. Once you have it, you specify its location on your Web server, and the location of the private key associated with you, and turn on port 443 ready for use. You don't need to be a professional software developer to do this, but you need to be proficient with command-line operations and be skilled at configuring the servers you manipulate.

Most of the certificates were for money, but I followed the advice of Micah Lee and used Startssl. That's what EFF is using, and they're free for personal-based certificates. (They will ask you to pay a more advanced certificate if your site is actually a commercial site.) It is important to note that their website is very difficult to use at the outset-especially if you are unfamiliar with the concepts and terminology lurking behind SSL (just like me). Fortunately, it's not as difficult as you might think, but there are a lot of subtle steps.

Below, we will step-by-step from the beginning of registration until you create the certificate that belongs to you. We also cover installation knowledge in an Nginx environment, but you can use the certificate on any Web server you wish to use.

They will send you a verification code via email. Do not close the tab or browser during this time, so just keep it open and know to get the verification code and paste it.

Wait a few minutes to get the whole number. Once you've applied, they'll send you an email with a special connection and verification code.

After completion will give you a private key to generate a private key on their server, but this is not the key you created the SSL certificate. They use this private key to generate a separate "Certificate of Authentication", which you can use to log into the Startssl Control Panel, and you will create an integer for your site.

Finally, they'll ask you to install the certificate.

Install the verification certificate on your browser

If you use chrome you will see the following information in the browser header

Again, this just proves that you are going to this page via the address in your email after logging in to Startssl.


Now, we need to make STARTSSL believe we have our own domain name and we want to generate a new certificate for him. From the Control Panel, click Validations Wizard, and then select the Domain Name Validation option in the drop-down form.

Enter your domain name.

Next, you choose an email address that STARTSSL will use to verify your domain address. As you can see, Startssl will believe that you have this domain name, if you are able to use the domain name control [email protected],[email protected], [email protected] Or your email address has been listed as part of the domain name registrant information (for me, this is the current [email protected]). Then select an email address that you can receive your email from.

They will send you a verification code that you can enter into a text box to verify your domain name.

Generate certificate

Now Startssl know who you are, and know your domain name, you can use your private key to generate certificates.

At this point Startssl can generate a private key for you-in their FAQs (FAQ) Like you guarantee that they only generate high-quality random keys, and will not be used as other keys later-you can also create one yourself, very simple.

This will guide you through the command line to create via. When you choose Startssl's boot, you can follow the guided step-up for backup, where you apply for a certificate for the domain name.

Open terminal, create a new 2048-bit RSA key

?
1 openssl genrsa -aes256 -out my-private-encrypted.key 2048

Will let you enter a password. Choose one and remember it. This generates an encrypted private key, and if you need to transfer your key over the network, you can use this encrypted version.


The next step is to decode it to generate a "certificate issuance request" from it. Use the following command to decode your private key:

?
1 openssl rsa -inmy-private-encrypted.key -out my-private-decrypted.key

Then, generate a certificate signing request:

?
1 openssl req -new -key my-private-decrypted.key -out mydomain.com.csr

Go back to Startssl's control Panel and click on the "Certificates Wizard" tab and select "Web Server SSL/TLS Certificate" in the drop-down list.

Since we have generated our own private key, you can click "Skip" here.

Then, paste the contents of the. csr file that we generated earlier into the text box.

If everything works, it will prompt you to say that you have received a certificate issuance request from you.

Now, select the domain name of the certificate that you have previously verified for the plan to use.

It will ask you to add a subdomain, I add to myself is "www".

It will ask you to confirm, and if it looks right, click "Continue".

Note: In the case where you are waiting to be approved by email, you may encounter an "additional verification required!" Step, the first time I did not encounter, but the second time encountered, and then my license in about 30 minutes to be approved, once the permission, you need to click on the "Tool Box" tab and use "Retrieve Certificate" to get your certificate.

And then it should be-your certificate will appear in a text field for you to copy and paste into a file, give the file a name you want to call, but in the next part of this guide will be the name of MYDOMAIN.COM.CRT to refer to it (the original note, ASMYDOMAIN.COM.CRT, according to the MYDOMAIN.COM.CRT name below, it should be a misspelling due to the empty space after as.

Install the certificate in Nginx

First, confirm that port 443 is already open on your Web server. Many web hosting has already opened the port for you by default. If you use Amazon AWS, you need to be sure that port 443 is open in your instance security group.

Next, we will create a "certificate chain" to be used by the Web server. It contains your certificate and STARTSSL mediation certificate (it is not necessary to include STARTSSL with the certificate, because the browser already contains the certificate) startssl Download the mediation Certificate:

?
1 wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Then connect your certificate with their certificate:

?
1 catmydomain.com.crt sub.class1.server.ca.pem > unified.crt

Finally, tell your Web server about your unified certificate and your decryption key. I use nginx--below is the nginx you need to configure the most. It uses 301 permanent redirects to direct all HTTP requests from the HTTPS request, and then directs the server to use the certificate for the key.

Copy CodeThe code is as follows:
server {
Listen 80;
server_name konklone.com;
Return 301 https://$host $request_uri;
}

server {
Listen 443 SSL;
server_name konklone.com;

SSL_CERTIFICATE/PATH/TO/UNIFIED.CRT;
Ssl_certificate_key/path/to/my-private-decrypted.key;
}

# for a more complete, secure config:
# https://gist.github.com/konklone/6532544


You can get a more comprehensive nigix configuration, he opens the SPDY, HSTS, SSL session resumption, and Perfect Forward secrecy.

The Qualys ' SSL lab provides the perfect SSL test tool that you can see through it what you're doing.

Now, verify that your configuration of Nginx is correct (this also verifies that the keys and certificates are working properly):

?
1 sudonginx -t

Then start the Nginx:

?
1 sudoservice nginx restart

Wait a moment and test in your browser. If it goes well, it will appear in your browser.

Mixed content Warning

If your site is running in the HTTPS protocol, you should make sure that all linked resources-images, stylesheets, CSS, JavaScript, and so on-are all HTTPS protocol links. If you do not do this, the user's browser will not be able to access it properly. Comparing the new Firefox browser will ensure that unsafe content appears on a secure page.

Fortunately, almost every major service code will be embedded in an HTTPS version, and in most cases it will be processed automatically (including Google Analytics and Typekit). You should consider some individual circumstances for others.

Back up your keys and certificates

Do not forget to back up your SSL certificate, and its encrypted private key. I put them in a private git repository, and put a description text file to describe each file and the program or command that created the file.

You should also back up your certificate of authentication, which you use to log on to Startssl. The FAQ page for Startssl has been explained-it is a. p12 file that you exported from your browser that contains the certificate and key.

Linux Server plus HTTPS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.