Background information
At present, China's network environment is very bad, operators hijacked behavior abound, the best way is to encrypt your site, that is, enable HTTPS protocol. And the Next Generation HTTP protocol (HTTP 2.0) is also based on HTTPS. So enabling HTTPS is a much-done behavior. On the HTTPS protocol itself on the internet there are a lot of introductions, not in detail here, do not understand can go to Google.
To enable HTTPS, you first have a server certificate, and this article details how to apply for a free certificate on Let's encrypt.
I believe a lot of friends have applied for the free certificate provided by STARTSSL, but recently some people found that Startssl is involved in a Chinese company, which means that your website may be impersonating.
root@kali:~/# Host Www.startssl.com
Www.startssl.com has address 97.74.232.97 # Godaddy
Www.startssl.com has address 52.7.55.170 # Amazon Web Services
Www.startssl.com has address 52.21.57.183 # Amazon Web Services
Www.startssl.com has address 52.0.114.134 # Amazon Web Services
Www.startssl.com has address 50.62.56.98 # Godaddy
Www.startssl.com has address 50.62.133.237 # Godaddy
The following is an excerpt from Weibo comments:
As soon as this message was released, there were also users who disabled the system's Startssl root certificate, which prompts the site not to be trusted when accessing sites using STARTSSL certificates. Therefore, it is also necessary to change the new certificate for the user with the STARTSSL certificate.
Let ' s encrypt introduction
Let's encrypt is a public free SSL project in foreign countries, hosted by the Linux Foundation, which is sponsored by Mozilla, Cisco, Akamai, Identrust and eff to automatically issue and manage free certificates to the website, To speed up the Internet's transition from HTTP to HTTPS, big companies such as Facebook are starting to join the sponsorship bandwagon.
Let's encrypt has got Identrust's cross signature, which means its certificate is now trusted by mainstream browsers such as Mozilla, Google, Microsoft and Apple, and you only need to configure the cross signature in the Web server certificate chain. The browser client will automatically handle everything else, let's encrypt installation is simple, the future large-scale adoption of the possibility is very large.
Let's Encrypt although still in the test, but the market demand is very large, already have a lot of friends can not wait to install and use let's Encrypt. Let's encrypt to the vast number of Web sites to provide free SSL certificate, whether for webmaster, Internet users, or the entire web Internet, are very beneficial, it is conducive to the security of the entire Internet.
How to apply for let ' s encrypt certificate
Let's encrypt provides a handy tool to apply for a certificate. The applicant has to get the tools first. Can be performed on the local machine or on a Web server.
git clone https://github.com/letsencrypt/letsencrypt
CD Letsencrypt
./letsencrypt-auto--help
Executing the above command will automatically download the missing dependencies, and no problem will be printed out to use Help.
Help hints at several ways to obtain certificates:
Choice of server plugins for obtaining and installing CERT:
--apache use the Apache plugin for authentication & Installation
--standalone Run A standalone webserver for authentication
(Nginx support is experimental, buggy, and not installed by default)
--webroot place files in a server& #039 S Webroot folder for authentication
Here's how the application tool works, and when it does, it produces a similar
1k8hnvu7akimctm4xyzjylmgltmntkuhlco8c8b3pyo.x24b1t7ilohgeksruy3wsg9ocnl2e7njoff_xfzaa-s string, and then it will request http:// Www.zhoumingzhi.com/.well-known/acme-challenge/1k8HnVu7aKIMcTm4XYzjYlmgLtMntkuhLCo8c8B3pyo this address, To see if the returned data is not the top of the stack of strings, if that is the case that the applicant has ownership of the domain name, then will issue the certificate file. The above mentioned methods are convenient for users to verify the ownership of the domain name. For the sake of understanding, we use the best way of universality-manual operation.
./letsencrypt-auto certonly--manual-d www.zhoumingzhi.com--email mingzhi22@gmail.com
After executing the above command there will be several windows that you can confirm, just press OK. You will then receive a hint similar to this:
Make sure your Web server displays the following content at
HTTP://WWW.ZHOUMINGZHI.COM/.WELL-KNOWN/ACME-CHALLENGE/ARUM149FKLFQBTG5CHW37_WRVGKPARNB1_FGPGNGHRW before Continuing:
Arum149fklfqbtg5chw37_wrvgkparnb1_fgpgnghrw.x24b1t7ilohgeksruy3wsg9ocnl2e7njoff_xfzaa-s
Now you need to configure your domain name corresponding to the server,/.well-known/acme-challenge/arum149fklfqbtg5chw37_wrvgkparnb1_ FGPGNGHRW can return to Arum149fklfqbtg5chw37_wrvgkparnb1_fgpgnghrw.x24b1t7ilohgeksruy3wsg9ocnl2e7njoff_xfzaa-s, If you are ready to press any key to continue, wait a few seconds, the certificate is generated well.