Add https support for the site

Considering that https can be encrypted and can resist the interference of a wall, I decided to add https support to my blog.

The whole process is still very simple. I use the free certificate of Let's Encrypt and refer to Jerry Qu's Let's Encrypt, a free and easy-to-use HTTPS certificate This article.

He uses acme tiny, an open source software, for automatic certificate management, which is very convenient. However, his subsequent operations take Nginx as an example, and I recently changed the system from CentOS 6 to Ubuntu 14.04 LTS, and the server software from Nginx to Apache (using XAMPP suite).

So here I record my configuration on Apache.

First, create a directory to store all key files.

I logged in with the root account, so I created an ssl folder ~ / ssl in the root directory, that is, / root/ssl.

Then create an account key, named account.key. The specific commands are as follows:

openssl genrsa 4096 > account.key

This key is used to authenticate the Let's Encrypt website.

The following steps are to prepare for generating SSL certificates.

First, use the following command to generate the domain name key.

openssl genrsa 4096 > domain.key

After that, the CSR file is generated. Here, the domain name requiring SSL should be filled in. Taking my website as an example, I added the top-level domain name and www domain name.

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:fanzheng.org,DNS:www.fanzheng.org")) > domain.csr

Before Let's Encrypt issues the certificate, we need to verify the ownership of our website. Specifically, he will visit the /. Well-known / acme challenge / directory of the website to see if there are any files he requires.

Here, we just need to create the folder under the root directory of the website.

First, download the acme tiny automated certificate management script.

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

Next, specify the account key, domain name key, and directory to use when verifying the ownership of the website.

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /opt/lampp/htdocs/.well-known/acme-challenge/ > ./signed.crt

Finally, you need to merge the intermediate certificate and the website certificate:

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pem

In this way, our final certificate is chained.pem.

Find the httpd-ssl.conf file and modify the SSLCertificateFile and SSLCertificateKeyFile. There is no need to modify the others.

Specifically, change to SSLCertificateFile "/root/ssl/chained.pem" and SSLCertificateKeyFile "/root/ssl/domain.key".

As the certificate of Let's Encrypt is only valid for 90 days, it needs to be updated regularly. The following script is actually a combination of the above commands and an automation scheme for restarting xampp. It can be executed every 90 days or regularly using crontab.

cd /root/ssl/ python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /opt/lampp/htdocs/.well-known/acme-challenge/ > ./signed.crt || exit wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pem /opt/lampp/xampp restart

Now the last step is to redirect the original http to https. We create a. htaccess file in the root directory of the website and write the redirection rules in it.

Specific to my website is:

RewriteEngine On RewriteCond % 80 RewriteRule ^(.*)$ https://fanzheng.org/$1 [L,R=301] RewriteCond % ^www.fanzheng.org$ [NC] RewriteRule ^(.*)$ https://fanzheng.org/$1 [L,R=301]

It means that all accesses to port 80 are redirected to the https top-level domain name, and all accesses to the www domain name are also redirected to the https top-level domain name.

15 October 2021, 17:05 | Views: 5919