Teach you how to apply for a free certificate at Let's encrypt---Open the HTTPS route of the website

Source: Internet
Author: User

Recently, Google and Firefox have blocked most of the domestic CA institutions, resulting in the use of the domestic CA method of the certificate in the Chrome browser display as unsafe sites, foreign certificates are more expensive, found an open source free Certificate Authority Let's encrypt,

By the Mozilla, Cisco, Akamai, Identrust, eff and other organizations to initiate, more authoritative, the following example is Nginx

The deployment installation process on the instance.


1. Install client Script


Curl Https://get.acme.sh | Sh

Automatically add a task to the scheduled task automatically updates the certificate when the installation is complete automatically, because the certificate should be valid for 90 days

Auto-Renewal Required

0 * * * "/root/.acme.sh"/acme.sh--cron--home "/root/.acme.sh" >/dev/null


Configure the 80 port of the domain name so let's encrypt can verify that the domain name is located on the server belonging to your management


server {

Listen 80;

server_name app.lhz.cc;

Location ^~/.well-known/acme-challenge/{

alias/var/www/challenges/.well-known/acme-challenge/;

}

Location/{

Rewrite ^ (. *) $ https://app.lhz.cc permanent;

}

Access_log/var/log/nginx/emmaapp80.log main;

}




2. Generate certificate key, etc.


/root/.acme.sh/acme.sh--issue-d app.lhz.cc-w/var/www/challenges/

[Fri 4 15:58:13 CST 2017] Registering account

[Fri 4 15:58:15 CST 2017] Registered

[Fri 4 15:58:16 CST 2017] Update Account TOS Info success.

[Fri 4 15:58:16 CST 2017] Account_thumbprint= ' Kzgy....sg9 ... Kxzohj_pwj0u '

[Fri 4 15:58:16 CST 2017] Creating Domain key

[Fri 4 15:58:16 CST 2017] The domain key is here:/root/.acme.sh/app.lhz.cc/app.lhz.cc.key

[Fri 4 15:58:16 CST 2017] Single domain= ' app.lhz.cc '

[Fri 4 15:58:16 CST 2017] Getting domain Auth token for each domain

[Fri 4 15:58:16 CST 2017] Getting webroot for domain= ' app.lhz.cc '

[Fri 4 15:58:16 CST 2017] Getting New-authz for domain= ' app.lhz.cc '

[Fri 4 15:58:18 CST 2017] The New-authz request is OK.

[Fri 4 15:58:18 CST 2017] Verifying:app.lhz.cc

[Fri 4 15:58:23 CST 2017] Success

[Fri 4 15:58:23 CST 2017] Verify finished, start to sign.

[Fri 4 15:58:25 CST 2017] Cert success.

-----BEGIN CERTIFICATE-----

Miie9zcca9+gawibagisbkxwthlejciijt9o9+fllcgfma0gcsqgsib3dqebcwua

expmzxqncybfbmnyexb0ief1dghvcml0esbymzaefw0xnza4mdqwnju4mdbafw0x

Nzexmdiwnju4mdbambuxezarbgnvbamtcmfwcc5yawquy2mwggeima0gcsqgsib3

Dqebaquaa4ibdwawggekaoibaqdwmuoafcycc9kzad96xaeh/5auhx5a4u3m5dfl

There are 10,000 words omitted here ...... ..... ..... ..... ..... ..................... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ....... ....... .....................

Y8xojmdkrmnk427zkujhe7yzcsxqai7pqeii

-----END CERTIFICATE-----

[Fri 4 15:58:25 CST 2017] Your cert is In/root/.acme.sh/app.lhz.cc/app.lhz.cc.cer

[Fri 4 15:58:25 CST 2017] Your cert key is In/root/.acme.sh/app.lhz.cc/app.lhz.cc.key

[Fri 4 15:58:25 CST 2017] The intermediate CA cert is in/root/.acme.sh/app.lhz.cc/ca.cer

[Fri 4 15:58:25 CST 2017] And the full chain certs is there:/root/.acme.sh/app.lhz.cc/fullchain.cer


3. Install the certificate to the specified location in the Nginx configuration, after the command is completed, the following path file name will be recorded to facilitate automatic update of the certificate


acme.sh--installcert-d app.lhz.cc \

>--keypath/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key \

>--FULLCHAINPATH/USR/LOCAL/NGINX-1.8/CONF/SSL/APP_LHZ_CC.CRT \

>--reloadcmd "/usr/local/nginx-1.8/sbin/nginx-s Reload"

[Fri 4 16:31:40 CST 2017] Installing key To:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key

[Fri 4 16:31:40 CST 2017] Installing full chain TO:/USR/LOCAL/NGINX-1.8/CONF/SSL/APP_LHZ_CC.CRT

[Fri 4 16:31:40 CST 2017] Run Reload cmd:/usr/local/nginx-1.8/sbin/nginx-s reload

[Fri 4 16:31:40 CST 2017] Reload success


4. Generate Dhparam

OpenSSL DHPARAM-OUT/ROOT/.ACME.SH/APP.LHZ.CC/DHPARAM.PEM 2048



5. Configuration of the certificate in Nginx


server {

Listen 443;

server_name app.lhz.cc;


SSL on;

#配置生成的证书

SSL_CERTIFICATE/USR/LOCAL/NGINX-1.8/CONF/SSL/APP_LHZ_CC.CRT;

Ssl_certificate_key/usr/local/nginx-1.8/conf/ssl/app_rid_cc.key;

SSL_DHPARAM/USR/LOCAL/NGINX-1.8/CONF/SSL/DHPARAM.PEM;


Ssl_session_cache shared:ssl:10m;

Ssl_session_timeout 10m;

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:! RC4;

Ssl_prefer_server_ciphers on;

Error_page 497 "https://$host $uri? $args";



Location/{

Proxy_pass Http://app80_server_pool;

Proxy_set_header Host app.lhz.cc;

Proxy_set_header x-forwarded-for $remote _addr;

Proxy_set_header X-forwarded-proto HTTPS;

}


Access_log/var/log/nginx/app.log main;

}

This article is from "Shadow Knight" blog, please make sure to keep this source http://andylhz2009.blog.51cto.com/728703/1953665

Teach you how to apply for a free certificate at Let's encrypt---Open the HTTPS route of the website

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.