Aliyun account!! How Do I Configure a Free SSL Certificate (Let's Encrypt) on an Alibaba Cloud Server to Implement HTTPS?

In today's Internet world, if your website is still using the old ht

tp ://

(clear text transmission), not only will the address bar of the browser be mercilessly marked with a red "unsafe" warning, but also by Google, Baidu and other search engines in the ranking severely restricted. To make matters worse, black products can easily hijack your web page on the way to transmission and fill it with disgusting psoriasis advertisements.

The only way to solve this problem is to upgrade

HTTPS

. The core of upgrading HTTPS is to need one

SSL Security Certificate

.

When many new customers and start-ups hear about SSL certificates, their first reaction is: "This stuff is bought in a big factory. It costs hundreds or even thousands of dollars a year. It's too expensive."

Alibaba Cloud account!

In today's article, I will use the real-life style of pure vernacular to lead the way. I will take you hand in hand on the Aliyun server and use the world's most conscientious free certificate authority.

Let's Encrypt

, cooperate with automation artifact

Certbot

, to achieve "one-click application, automatic renewal, free for life" HTTPS ultimate practical operation.

Core Principle: Why Let's Encrypt and Certbot?

Let's Encrypt: This is a public welfare organization jointly sponsored by the world's major Internet giants (Mozilla, Cisco, Google, etc.), which specializes in issuing formal SSL certificates that are trusted by all browsers free of charge.

The price of lifetime free: the only "small disadvantage" is that each application of the certificate is valid for only 90 days.

Automated artifact Certbot: In order not to let us toss manually every three months, the official launched Certbot command line tool. It can not only help us apply for a good certificate with one click, but also keep an eye on the expiration time in the background and automatically renew the certificate when it is about to expire. As long as the server does not fail, the certificate will always be free and never expire.

Preparation: Safety check before going out

Before typing the order, please make sure that the following three things have been completed, otherwise the back will be 100% "ghost wall":

The domain name has been successfully resolved to your Aliyun server IP: if you type your domain name (such as www.yourname.com) in the browser and cannot access the default web page of your server, please do the domain name resolution first.

443 port of the Alibaba Cloud security group: HTTPS uses port 443 (common HTTP uses port 80). Practical operation: log on to ariyun console-> find your ECS instance-> click [security group] -> [configuration rule] -> release 443 port in the inbound direction. If it is not released, no matter how well the certificate is installed, the external network cannot be safely connected.

Web services are already installed on the server (take Nginx as an example): and your Nginx has been configured with basic domain name access.

Alibaba Cloud

Account!

Next, we officially enter the practical operation command stage. We are currently the most mainstream

Ubuntu

and

CentOS/Alibaba Cloud Linux

Two systems for example.

Step 1: Install Certbot Tools on the Server

We need to invite this "automated housekeeper" into the server first.

If your server system is Ubuntu:

The package manager that comes with Ubuntu is very convenient. Run the following command directly:

Bash

# Update software source

sudo apt update

# Install certbot and dedicated plugins for nginx

sudo apt install certbot python3-certbot-nginx -y

If your server system is CentOS / Alibaba Cloud Linux:

CentOS needs to open the EPEL extension source before it can find the Certbot.

Bash

# Install EPEL Extension Source

sudo yum install epel-release -y

# Install certbot and nginx plugins

sudo yum install certbot python3-certbot-nginx -y

Step 2: Apply for and configure an SSL certificate automatically with one line of commands

The best thing about Certbot is that it has a "fool-like" automatic scanning mode. It will automatically read the Nginx configuration file in your server, find out what domain name you have tied, and then automatically help you apply for a certificate from Let's Encrypt.

Please enter the following line of invincible commands in the terminal:

Bash

sudo certbot --nginx

After execution, the terminal will pop up an interactive prompt, don't panic, follow my real prompt step by step input:

Enter email address: Enter one of your favorite email addresses. This mailbox is very important. If the automatic renewal script is accidentally hung up one day, Let's Encrypt will send an email 20 days before the certificate expires to remind you to put out the fire.

Terms of Service: Enter A(Agree) directly.

Would you be willing to share your email...: Enter N(No) to enter to avoid receiving spam every day.

Select the domain name to open HTTPS: at this time, Certbot will magically list all the domain names configured in your Nginx (e.g. 1: yourname.com, 2: www

.yourname.com). How to choose: if you want to add HTTPS to both domain names, hit enter directly (default is all selected), or enter the corresponding numbers separated by commas.

After hitting enter, the screen will flash a bunch of codes wildly (this is Certbot "man-machine handshake verification" with Let's Encrypt server).

Wait 5 to 10 seconds, when you see the big one at the end of the screen

Congratulations! You have successfully enabled HTTPS...

When, the certificate has been successfully issued!

More importantly, the Certbot has

Automatically modified your Nginx configuration file

, the cumbersome key path, 443 port monitoring, SSL encryption algorithm all automatically filled in.

Step 3: Ultimate Verification

At this time, you can close the black command line and open your computer browser.

Enter your domain name without https in the address bar (for example:

ht

Tp: // www.yourname.com), you will find that the system will automatically help you jump to ht with security lock

tps://www.yourname.com

.

Click on the small padlock on the left side of the domain name to view the certificate details, and you will see that the issuing authority clearly reads:

Let's Encrypt

. At this point, your Aliyun server has been perfectly put on HTTPS bulletproof vests!

Step 4: rest easy-configure automatic renewal of scheduled tasks

As mentioned earlier, this certificate is only valid for 90 days. Although Certbot usually add a timed task to the system by default during installation, in order to ensure that it is foolproof, we must manually verify and test whether this "renewal dead loop" works properly.

1. Simulate renewal test (not actual drill, only process)

Enter the following command to have the Certbot simulate a renewal after the certificate expires:

Bash

sudo certbot renew --dry-run

If the screen last shows

Your certificates are not due for renewal yet, but simulated successfully

Or without any error prompt (Success), it means that the automatically renewed kernel is completely healthy.

2. Forced insurance: Add Linux Cron scheduled tasks.

In order to prevent the default automatic renewal from hanging up due to changes in the system environment, old drivers in the industry usually add a double insurance to Linux's scheduled tasks (Crontab).

Alibaba Cloud account!

Enter the following command to open the System Scheduled Task Editor:

Bash

sudo crontab-

e

At the bottom of the file, on a separate line, paste the following line:

Plaintext

0 3 * * * certbot renew --post-hook "systemctl reload nginx"

This code means: let the server automatically and quietly execute the certbot renew command in the background at 3:00 a.m. every day. Certbot is very smart. If it finds that the certificate has not expired (the remaining time is more than 30 days), it will do nothing. Once it is found that the certificate is less than 30 days away from expiration, it will automatically apply for a new certificate in the background and let Nginx reload (Reload) the configuration through -- post-hook to seamlessly apply the new certificate.

Save and exit. With this line of command, you can completely delete the "SSL certificate expired" from your brain memory area.

Conclusion and summary of avoiding pits

After reading the whole process, did you find that it took less than 5 minutes to get free HTTPS on Alibaba Cloud?

Finally, summarize the two novices are most likely to step on the dark pit:

Don't miss the second-level domain name: If you want to make yourname.com secure and api.yourname.com secure, make sure that the Nginx server_name of these second-level domain names are properly configured and Aliyun resolution is also added before applying for the certificate.

It is forbidden to mix this command on servers with pagoda panel: if you have installed visualization tools such as "pagoda panel" for ariyun server, please click "apply for Let's Encrypt certificate" directly in the graphical interface of the panel instead of running Certbot in the command line. Because the visualization panel has its own set of Nginx configuration rules, using native commands to change will directly change the panel's configuration files.

Now, your website is not only safe against hijacking, but also can get higher weight points in the eyes of major search engines. Hurry up and hang up your free padlock!

Alibaba Cloud account!