Shulou(Shulou.com)05/31 Report--

This article shows you how to use RAM to quickly sign Let's Encrypt certificates. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Preface

With the development of the Internet, we have high requirements for a safer and faster Internet. Compared to the hijacking of web pages and malicious hanging of web pages, we must hate it deeply, so how to put an end to it? Through HTTPS can be simple and effective to put an end to these behaviors, of course, some advanced hijacking methods are still difficult to prevent.

Demand & harvest

Products that need to be used:

ECS/ lightweight application server (install any Linux distribution image)

Domain name (only need to use Aliyun DNS)

Tutorial RAM Settings

Using RAM, you can set administrative permissions for only one product, or even one content in a product. For example, we can use RAM to assign an account that can only manage DNS, or an account that can only manage the next managed domain name of DNS.

In this way, the overall risk caused by AccessKey leakage can be effectively avoided. I hope everyone will not be afraid of trouble. Experience tells me that saving this minute may take a hundredfold return!

First, enter access control (RAM) to create a user specially prepared for OSS. Be sure to record AccessKeyID and AccessKeySecret.

Cdn.com/fd48ac7074f7cffd75893d6c240f82e20dd2203c.png ">

Click Policy Management, and then click New Authorization Policy

3. Click the blank template directly, and then enter the authorization policy name, and enter the policy content as follows:

{"Version": "1", "Statement": [{"Action": "alidns:*", "Resource": "acs:alidns:*:*:domain/mf8.biz", "Effect": "Allow"}, {"Action": ["alidns:DescribeSiteMonitorIspInfos", "alidns:DescribeSiteMonitorIspCityInfos", "alidns:DescribeSupportLines", "alidns:DescribeDomains"] "Resource": "acs:alidns:*", "Effect": "Allow"]}

Note the "Resource" in line 6: "acs:alidns:*:*:domain/mf8.biz". Domain/mf8.biz is the domain name that needs to be managed separately. Just change it to your own domain name.

Then click New Authorization Policy Save

4. Authorize the user

Just choose the authorization policy we just created.

The setup of ok,RAM is completed here. It may take a few minutes to learn for the first time, and it will take one minute to do it later.

What about the RAM rules for other Aliyun products? Search: product name + RAM must have the answer you want! If the product you want does not have RAM permission, you can send me a private message to help you carry it.

ACME Settin

OK, now we are going to issue ECS on ECS, here we use Neilpang/acme.sh as a free ECC certificate to apply for Let's Encrypt.

If you do not know how to remotely connect to Aliyun ECS, please refer to:

[1024 ways to play Cloud Computing] use DMS as long as a browser can easily complete the operation and maintenance task.

[1024 ways to play Cloud Computing] introduction to remote control of ECS and lightweight application servers

1. Run the following code to download acme.sh:

Git clone https://github.com/Neilpang/acme.sh.gitcd acme.sh

Second, then declare the AccessKey we just implemented through RAM:

Export Ali_Key= "ADBIkEeexNshGF9t" export Ali_Secret= "E7crn0HT3l11WP87dLF70fN6tmf8biz"

3. Then you can start issuing certificates. In this sentence, you can issue certificates to mf8.biz and www.mf8.biz domain names through the API parsed by Ali Yunyun:

. / acme.sh-- issue-- dns dns_ali-d mf8.biz-d www.mf8.biz

If you sign an ECC certificate, you can use:

. / acme.sh-issue-dns dns_ali-d mf8.biz-d www.mf8.biz-- keylength ec-256

After waiting for a few minutes, we can have a cup of coffee, do some eye exercises, run away, and wait for the certificate to be issued automatically.

5. Install the certificate:

. / acme.sh-- installcert-d mf8.biz-d www.mf8.biz\-- keypath / usr/local/openresty/nginx/conf/ssl/mf8.biz.key\-- fullchainpath / usr/local/openresty/nginx/conf/ssl/mf8.biz.crt\-reloadcmd "systemctl restart openresty"

Explain:

-- installcert is signed for that domain name.

-- keypath is the path where key files are stored

-- fullchainpath is the path where crt files are stored

-- reloadcmd is the restart command of the software to which the certificate is applied. For example, if we use openresty as the Web software, enter this command to facilitate the automatic restart of the software after the certificate is renewed.

OK, so we can get a Let's Encrypt certificate quickly.

The above content is how to use RAM to quickly sign Let's Encrypt certificates. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.