pk10技巧34567名定位

Classic Case
  • Website of Tongren Development and Reform Commission
  • Tongren City Science and Technology Innovation Service Platform
  • Tongren Science and Technology Bureau

Alibaba Cloud Free SSL Certificate Deployment Website HTTPS

Posted: 2018-06-20 16:51 Source: unknown Author: admin Click: Times

With the rapid development of the mobile Internet, network security issues have become increasingly prominent. How to protect the security of the user-website interaction information has become a concern for many enterprises. HTTPS can effectively protect users' privacy and data security. The following editor will introduce how to use free DV certificate to deploy HTTPS.

Because of Alibaba Cloud's reputation in the country, it seems natural to use Alibaba Cloud SSL certificates. However, Alibaba Cloud's CA certificate is relatively expensive, which is several times more expensive than purchasing through other channels. Fortunately, Alibaba Cloud provides a free version of the DV certificate, and each Alibaba Cloud account can apply for up to 20 free DV certificates, which is usually enough.

Apply for a certificate

Login: Alibaba Cloud console, products and services, certificate services, purchase certificates.
Purchase: Select the free DV SSL for the certificate type, and then complete the purchase.
Completion: In the My Certificate console, find the purchased certificate and select Completion in the action bar. Fill in the certificate related information.
Domain name verification: DNS can be selected. If the domain name uses Alibaba Cloud's DNS service, check the domain name bound to the certificate in Alibaba Cloud's cloud resolution.
Upload: The system generates a CSR, click to create it.
Submit review.

If all goes well, the application certificate will be reviewed and approved in about 10 minutes.

When applying for a certificate, pay attention to verifying the domain name, that is, you need to verify that the domain name you want to bind the certificate is your own. If you choose to use DNS authentication, you need to add a specific DNS record in the management of the domain name, so that you can This domain name is yours. Using Alibaba Cloud's cloud resolution service, this step can be completed automatically and a DNS verification record will be automatically added for you.

Enter the domain name to which the certificate will be bound:

1510206510468035.png

Fill in personal information:

1510206599347421.png

The type of domain name verification can be selected according to the actual situation. Generally speaking, it will be simple and straightforward to choose the "file" verification method.

Alibaba Cloud Shield Certificate Service provides two verification methods:

DNS authentication

DNS authentication methods generally require related operations by your domain administrators. Please follow the progress prompt in your certificate order and configure it in your domain name management system accordingly.

Select the DNS domain authorization and authentication, you need to go to your domain name resolution service providers (such as million net new network, DNSPod, etc.) to configure the system provided. For example, if the domain name is hosted on Alibaba Cloud, you need to go to the cloud resolution DNS console to configure it.

Note: The DNS configuration record only after deleting a certificate issued or revoked.

Steps

  1. Log cloud shield Certificate Services Management Console, select the list in my order has been submitted your application for review of certificate orders, click the progress, you can view the domain configuration authorization information (such as DNS host records need to be configured to record and value Record type, etc.).

    Note: It may take a few minutes for the system to generate relevant domain name authorization configuration information after you submit your review application.

    域名授权配置

  2. Go to your domain name resolution management system and add a record according to the domain name authorization configuration requirements. Be sure to fill in the host record, record value, and record type correctly, and be careful not to reverse the configuration of the host record and record value.

    Tip: The host record provided by Cloud Shield Certificate Service is full domain name. If your domain name management system does not support the full domain name host record, please remove the suffix of the root domain name.

    Note: If your domain is hosted Ali cloud cloud resolution service and check the authorization system automatically add a record to complete the authorized domain verification option, you do not need to do anything in the DNS management console. You can view the results of domain name authorization verification push directly on the audit progress page:

    • If the push is successful, you just need to wait for the certificate to be issued.

    • If the push fails, you need to perform manual configuration again.

  3. The detection configuration takes effect.

File verification method

The file verification method generally needs to be operated by your site administrator. Please follow the progress prompt in your certificate order, download the file to your local computer, and then upload it to a designated directory on your server using a tool such as FTP.

Only delete the verification file or revocation of a certificate issued after: attention.

Steps

  1. Log in to the Cloud Shield Certificate Service Management Console, select the certificate order for which you have submitted an application for review in the My Orders list, and click on the progress to view the domain name authorization configuration related information (such as the verification file to be uploaded and the specified server directory, etc. ).

    文件验证配置

  2. According to the configuration requirements, download the specified verification file to the local computer, and then upload it to a specified directory on your server through a tool (such as FTP).

    For example, your website's domain name is a.com, and the disk directory of the server where your site is located is / www / htdocs. According to the above file verification configuration requirements, you need to perform the following configuration:

    1. In the progress of the inquiry page, click fileauth.txt verification file, downloaded to the local.

    2. Create a .well-known / pki-validation subdirectory under the / www / htdocs directory of your site server.

    3. The fileauth.txt verification file upload /www/htdocs/.well-known/pki-validation directory via FTP.

    4. Upon completion, through the verification URL address (http://a.com/.well-known/pki-validation/fileauth.txt) access.

  3. The detection configuration takes effect. You can confirm whether or URL address can access configured to detect whether effected through a browser.

Download the certificate

Ali cloud certificate management there, if the certificate application is approved, you can download, click on the download, you can choose a different type, you can choose NGINX or the like Apache server. According to their Web site's server type, download the corresponding certificate. After decompression, you will get two files one is the * .key, is a * .pem.

Management Certificate

After the certificate is approved, you can manage your certificate in the cloud shield Certificate Services Management Console:

  1. Log in to the Cloud Shield Certificate Services management console and click My Certificate.
    Note: You can also upload your existing unified management of digital certificates in my Certificate page.

  2. View and manage your digital certificates in the My Certificates table.

Configure NGINX for HTTPS

With the certificate, you can configure the Web server to use this certificate. The configuration method is different for different Web servers. The following uses NGINX server as a demonstration. My domain name is ninghao.org, you can replace the place where this text appears according to your actual situation.

Download and upload the certificate

Create a directory to store certificates:

 sudo mkdir -p /etc/nginx/ssl/example.com 

Upload and apply for the downloaded certificate under the directory created above. The actual location of my certificate is:

 /etc/nginx/ssl/example.com/213986617020706.pem /etc/nginx/ssl/example.com/213978317020706.key 

NGINX configuration file

Your website can support both HTTP and HTTPS. The default port number for HTTP is 80 and the default port number for HTTPS is 443. That is, if your website uses HTTPS, you need to configure the website server to listen on port 443, which is a request made by users using HTTPS.

Here is a basic NGINX configuration file that listens on port 443 and uses an SSL certificate to create a configuration file:

 touch /etc/nginx/ssl.example.com.conf 

Paste the following code into it:

 server {
 listen 443;
 server_name example.com;
 ssl on;
 root /mnt/www/example.com;
 index index.html;

 ssl_certificate /etc/nginx/ssl/example.com/213986617020706.pem;
 ssl_certificate_key /etc/nginx/ssl/example.com/213978317020706.key;
 ssl_session_timeout 5m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers AESGCM: ALL:! DH:! EXPORT:! RC4: + HIGH:! MEDIUM:! LOW:! aNULL:! eNULL;
 ssl_prefer_server_ciphers on;
 } 

In the above configuration, the two instructions ssl_certificate and ssl_certificate_key specify that two files are used, that is, the certificate you downloaded. The two files you see after decompression are one * .pem and one * .key. You need to upload these two files to a directory on the server.

Reload the NGINX service:

 sudo service nginx reload 

or:

 sudo systemctl reload nginx 



tag:
    ------ Divider ----------------------------
    ------ Divider ----------------------------