Cloud Computing Agent: Alibaba Cloud Free SSL Certificate Application and One-Click HTTPS Deployment Detailed Tutorial!
Every day, I look at the address bar of my website browser showing the word "unsafe", which not only makes me feel confused, but also directly affects the SEO ranking of the website, and even is directly blocked by some browsers.
Now the website,
HTTPS is already standard.
.
Many people think that getting HTTPS (that is, SSL certificates) is expensive and troublesome. In fact, Aliyun provides each account every year.
Free SSL certificate quota
, and with ariyun's console, it can basically achieve "one-click deployment".
Today's tutorial does not talk about complex cryptography principles, only dry goods. Hand in hand to take you
Apply for free certificates, deploy to Aliyun products with one click, and manually configure them on your own server
. The whole process is completed, up to 10 minutes.
Preparation: What do you need?
Before you begin, make sure you meet the following two conditions:
You have an Alibaba Cloud account that has passed real-name authentication.
Have a domain name. If the domain name is used on a server in mainland China, ICP filing must have been completed.
Step 1: Find and apply for a free Alibaba Cloud SSL certificate
Aliyun's free certificate entrance is hidden deep (after all, people also want to sell paid). Follow the following steps to find it. Don't make any mistakes.
1. Find the certificate purchase page
Log in to the Alibaba Cloud console, enter "Digital Certificate Management Service" (SSL) in the search box at the top, and click Enter.
In the left-side navigation pane, click SSL Certificates $\rightarrow $Free Certificates ".
Click "Buy Now" (or "Create a certificate") on the page.
2. Check "Free Quota"
On the purchase page, you will see various certificates for thousands of dollars a year. Don't panic, press the following options to check:
Product Type: Select Cloud Shield Certificate Resource Package ".
Resource Package Specification: Select Free Certificate (Single Domain Name) ".
Purchase Quantity: By default, you will be given 20 quotas (refreshed every year). Click directly to purchase immediately.
💰Rest assured: At this time, the order amount is displayed as 0 yuan. Direct confirmation of payment can be, do not need to pay a penny.
3. Submit Certificate Application
After buying the resource package, return to the "Free Certificate" page, you will see that you have "20" available certificate quota.
Click Create Certificate. A certificate to be applied for is displayed in the list.
Click Request Certificate to the right of the record ".
Fill in your information in the form that pops up on the right:
Certificate binding domain name
Fill in your specific domain name, such as www.yourname.com or blog.yourname.com.
Note: Free certificates do not support wildcard domain names (such as * .yourname.com). A certificate can only be bound to a specific subdomain name. Domain name verification method: it is strongly recommended to select "automatic DNS verification" (if your domain name is also under the current ariyun account, the system will automatically add resolution for you
recording, saving time and effort). Contact information and algorithm: default (RSA is selected as algorithm).
Click Next, and then click Submit for Review ".
In general, because it is automatic DNS authentication,
Only need to wait 1~3 minutes
, the certificate will be issued and the status will change to Issued ".
Step 2: If you are using Ali Yunyun products (one-click deployment)
If your website is hosted on Aliyun's
Cloud server ECS, cloud virtual host, application high availability lightweight server, lightweight application server
or through
CDN, OSS, ALB (application-oriented load balancing)
Forwarded, congratulations, deployment is extremely simple.
Take a lightweight application server/cloud virtual host as an example:
In the Free Certificates list of Digital Certificate Management Service, find the certificate you just issued.
Click Quick Deploy on the right ".
In the displayed list of cloud products, select the service you are using (for example, lightweight application server).
Select the corresponding server instance and resource, and click OK ".
Alibaba Cloud will automatically upload the certificate and configure it to your cloud product in the background. You do not even need to log on to the server.
Step 3: If it is a stand-alone server, how do I deploy it manually?
If your server is a pure system installed by itself, or uses a pagoda panel or LNMP script, you need to download the certificate locally and upload the configuration manually.
Click on the right side of the certificate list
"Download"
, in the pop-up server type, select download according to the environment (Nginx, Apache, Tomcat, IIS) built by your server.
Nginx is used for 90% of domestic Internet websites.
Take Nginx for example.
After unpacking the download, you will get two files:
xxxxx.pem (certificate file)
xxxxx.key (private key file,
Don't let it out to others.
)
Scene A: Use the pagoda panel (most recommended, minimalist)
If you use the pagoda panel, you don't need to move the code at all:
Log in to the pagoda panel and click "Website" on the left ".
Find your website and click "Settings" on the right ".
Find SSL in the menu on the left and select the Other Certificates tab.
Use Notepad to open the. key file you downloaded and copy the contents into the "KEY" box on the left.
Open the. pem file with Notepad and copy the contents into the "Certificate (PEM)" box on the right.
Click Save ".
Remember to check the upper right corner
"Force HTTPS"
, so that the user enters http://
It will also automatically jump to the secure https://
Scenario B: Native Nginx manual code modification (suitable for geeks)
If you are directly using SSH to connect to the server to modify Nginx configuration, please follow these steps:
1. Upload Certificate
in the server's
/etc/ng
inx/
directory (or your Nginx configuration directory) to create a
cert
The folder, put you downloaded
xxxx.pem
and
xxxx.key
Upload it in.
2. Modify the configuration file
Open your website Nginx configuration file (e. g.
/etc/nginx/conf.d/mywebsite.conf
), modify the original 80 port listening or add 443 port listening.
The standard and secure Nginx configuration template is as follows:
Test and restart Nginx
After the modification is completed, execute the following command in the terminal:
Bash
# Check the Nginx configuration file for syntax errors
nginx -t
If the display
syntax is OK
and
test is successful
, indicating that the configuration is no problem. Then run the reload command to make the configuration effective:
Bash
nginx -s reload
Avoidance Guide: Possible Problems After Deployment
If the configuration is completed, the access domain name still prompts "unsafe" or the web page cannot be opened, usually for the following three reasons, one by one:
The most common oversight is that the security group of the cloud server does not open 443 ports. HTTPS is the 443 port. You must log on to the Aliyun console, find your server, add an "inbound direction" rule to "security group rules", and release the 443 port. If you install a pagoda, the pagoda's "Security" menu will also release 443 ports.
Sometimes the configuration is in effect, but the local browser records the old HTTP status. Press Ctrl F5 to force a refresh, or open a browser's "incognito mode/stealth mode" to try again.
"Mixed Content" causes the lock to not be green if it can be accessed via HTTPS, but the lock in the address bar is grayed out or says "not completely secure". This means that your web page code contains http:// images, JS scripts or CSS style sheets for dead addresses. Change http:// in the code to https://, or change to a relative path.
Summary
Alibaba Cloud's free certificates are usually valid
3 months
(This is a new specification for global certification authorities for security).
💡Vernacular Reminder: Aliyun will send you a text message within 30 days before the certificate expires. At that time, you only need to log in to the console, repeat the "application" action in the first step of this article, download the new certificate to replace the old file (or click Quick Deployment again), and restart Nginx.
Don't need to spend a penny, a few minutes can make your website put on a safe "body armor", hurry to try it!
