Shulou(Shulou.com)05/31 Report--

What is the script for upgrading to Https? for this question, this article introduces in detail the corresponding analysis and answers, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Now many webmasters will consider upgrading their sites from http to https, not only for security reasons, but also because of limitations of third-party platforms, such as Google browser will mark http sites as insecure sites, and WeChat Mini Programs, who is connected to Wechat platform, must use https.

The difference between http and https

For the security of data transmission, https adds ssl protocol on the basis of http. Ssl protocol relies on certificates to verify the identity of the server and encrypt the communication between the browser and the server. To upgrade http to https, you only need to add a CA certificate to the http site.

Currently, there are two ways to obtain a CA certificate:

Purchase a fee-based CA certificate

Get a free certificate

Paid CA certificates are sold by all major service providers, such as Aliyun, Tencent Cloud and so on.

A paid certificate is not cheap. According to Aliyun's official website, its price can range from a few thousand yuan to tens of thousands of yuan.

This is a big expense for small company platforms and even personal sites.

Letsencrypt is a free, automated and open certification authority. Its certificates are valid for three months at a time, but they can be used permanently as long as they are continuously updated.

Today's recommended script acme.sh, which implements the acme protocol, can help you continuously update your CA certificate from Letsencrypt. Download address is as follows:

Https://github.com/Neilpang/acme.sh

Install acme.sh

It is easy to install acme.sh with one command:

Curl https://get.acme.sh | sh

Both ordinary users and root users can install and use it. The installation process takes the following steps:

1. Install acme.sh into your home directory:

~ / .acme.sh/

And create an alias of bash for your convenience: alias acme.sh=~/.acme.sh/acme.sh

2. Automatically create cronjob for you, and automatically detect all certificates at 0:00 every day. If it is about to expire and needs to be updated, the certificate will be updated automatically. The installation process will not pollute any functions and files of the existing system, and all modifications will be limited to the installation directory: ~ / .acme.sh/

Generate a certificate

Acme.sh implements all the authentication protocols supported by the acme protocol, and there are generally two ways of authentication: http and dns authentication.

1. Http requires you to place a file in the root directory of your website to verify the ownership of your domain name, complete the verification, and then generate the certificate.

Acme.sh-issue-d mydomain.com-d www.mydomain.com-webroot / home/wwwroot/mydomain.com/

Acme.sh automatically generates the verification file, places it in the root directory of the website, and then automatically completes the verification. In the end, the verification file will be deleted wisely, and there are no side effects in the whole process.

If you are using an apache server, acme.sh can intelligently automatically verify from the configuration of apache. You do not need to specify the root directory of the site:

Acme.sh-issue-d mydomain.com-apache

If you are using a nginx server, or reverse generation, acme.sh can also intelligently automatically complete verification from the nginx configuration, you do not need to specify the site root directory:

Acme.sh-issue-d mydomain.com-nginx

Note: whether in apache or nginx mode, acme.sh will return to its previous state after verification and will not secretly change your own configuration. The advantage is that you do not have to worry about the configuration is broken, but there is also a disadvantage, you need to configure the configuration of ssl, otherwise, you can only successfully generate certificates, your website still can not access https. But for the sake of safety, you'd better change the configuration manually.

If you are not running any web services and port 80 is free, acme.sh can also pretend to be a webserver and temporarily listen to port 80 to complete the verification:

Acme.sh-issue-d mydomain.com-standalone

2. Dns: add a txt resolution record to the domain name to verify the ownership of the domain name.

The advantage of this approach is that you do not need any servers, do not need any public network ip, and only need the parsing record of dns to complete the verification. However, the downside is that if you do not configure Automatic DNS API at the same time, acme.sh will not be able to automatically update the certificate in this way, and you will need to manually re-parse and verify the ownership of the domain name each time.

Acme.sh-issue-dns-d mydomain.com

Then, acme.sh will generate the corresponding resolution record to display, you just need to add this txt record to your domain name management panel.

After waiting for the resolution to complete, regenerate the certificate:

Acme.sh-- renew-d mydomain.com

Note: the second time here is-- renew

The real power of the dns approach is that you can use the api provided by the domain name parser to automatically add txt records to complete verification.

Acme.sh currently supports automatic integration of dozens of parsers such as cloudflare, dnspod, cloudxns, godaddy and ovh.

Copy/ installation Certificate

After the previous certificate is generated, then you need to copy the certificate to where you really need it.

Note: the certificates generated by default are placed in the installation directory: ~ / .acme.sh /, please do not use the files in this directory directly. For example, do not directly let the nginx/apache configuration file use the following file. The files in this file are for internal use, and the directory structure may change.

The correct way to use it is to use the-- installcert command and specify the target location, and then the certificate file will be copy to the appropriate location, for example:

Acme.sh-- installcert-d.com\-- key-file / etc/nginx/ssl/.key\-- fullchain-file / etc/nginx/ssl/fullchain.cer\-- reloadcmd "service nginx force-reload"

A small reminder, here is using service nginx force-reload, not service nginx reload, according to the test, reload will not reload the certificate, so use force-reload.

The configuration ssl_certificate of Nginx uses / etc/nginx/ssl/fullchain.cer instead of / etc/nginx/ssl/.cer, otherwise the test of SSL Labs will report a Chain issues Incomplete error.

The installcert command can take a number of parameters to specify the target file. And you can specify reloadcmd, when the certificate is updated, reloadcmd will be automatically called to let the server take effect.

It is worth noting that all the parameters specified here are automatically recorded and automatically invoked again after the certificate is automatically updated in the future.

Update certificate

At present, the certificate will be updated automatically after 60 days, and you do not need to do anything. This time may be shortened in the future, but it's all automatic, so you don't have to worry about it.

Update acme.sh

At present, because both the acme protocol and Letsencrypt CA are updated frequently, acme.sh is also updated frequently to keep synchronized.

Upgrade acme.sh to the latest version:

Acme.sh-upgrade

If you don't want to upgrade manually, you can turn on automatic upgrade:

Acme.sh-upgrade-auto-upgrade

After that, acme.sh will automatically keep updated.

You can also turn off automatic updates at any time:

Acme.sh-upgrade-auto-upgrade 0

6. What if something goes wrong:

If there is an error, add debug log:

Acme.sh-- issue. -- debug

Or:

Acme.sh-- issue. -- debug 2

Finally, this article is not a complete description of how to use, there are many advanced features, more advanced usage, please see other wiki pages.

Https://github.com/Neilpang/acme.sh/wiki 's answer to the question about how to upgrade to Https script is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.