Get ready
- Domain name on file
- ssl certificate (free)
Request Certificate
- Login to Ali Cloud Console Production - > Products and Services - > SSL Certificates
- Click Purchase Certificate, Certificate Type Select Free DV SSL, Complete Purchase
- After purchasing, Symantec Free SSL appears, button click under operation item.
- Perfect data and submit for review.My domain name here is using the Ali Cloud DNS service. Follow the prompt to check the certificate-bound domain name for cloud resolution in Ali Cloud, and the system generates a CSR until it is submitted for review.
In about 10 minutes, the application certificate will be approved.
Download Certificate
Confirm that you have obtained the certificate and go to the Certificate Console to download the certificate. After unzipping, you will get two files
3064445_readingblog.cn.key 3064445_readingblog.cn.pem
Certificates are configured differently depending on the server type. Here's an example of nginx server
Configure https for nginx
- Create a directory to store certificates (any)
sudo mkdir -p /usr/local/nginx/ssl/key
- Upload Certificate
scp -p 22 /usr/local/nginx/ssl/key/3064445_readingblog.cn.pem root@47.92.166.108:/usr/local/nginx/ssl/key scp -p 22 /usr/local/nginx/ssl/key/3064445_readingblog.cn.key root@47.92.166.108:/usr/local/nginx/ssl/key
After uploading, the directory structure is as follows
[root@iZ8vbfhrv1vsbp44n9fdtoZ key]# pwd /usr/local/nginx/ssl/key [root@iZ8vbfhrv1vsbp44n9fdtoZ key]# ls 3064445_readingblog.cn.key 3064445_readingblog.cn.pem
- Modify nginx configuration file
# HTTPS server # server { listen 443 ssl; server_name localhost; ssl_certificate /usr/local/nginx/ssl/key/3064445_readingblog.cn.pem; ssl_certificate_key /usr/local/nginx/ssl/key/3064445_readingblog.cn.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL; # ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root /opt/nodejs/blog-server/static/blog; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location /blog { proxy_pass http://0.0.0.0:3000; } }
- Restart nginx
/usr/local/nginx/sbin/nginx -s reload
If prompted for the "ssl" parameter requires ngx_http_ssl_module, nginx also needs to install the ngx_http_ssl_module.
nginx installation ngx_http_ssl_module
My nginx installation directory is: /usr/local/nginx, source package at/usr/nginx-1.14.0
First enter the source package directory, execute
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
When the configuration is complete, run the command make command (note that you cannot make install here, or override the installation)
make
Replace the installed nginx package by backing up before replacing it:
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
Stop the nginx service first:
/usr/local/nginx/sbin/nginx -s stop
Overwrite the just compiled nginx with the original nginx
cp ./objs/nginx /usr/local/nginx/sbin/
Finally, you can start nginx
/usr/local/nginx/sbin/nginx
Delete Backup
rm -rf /usr/local/nginx/sbin/nginx.bak
We can see by command if the ssl module has been successfully added
[root@iZ8vbfhrv1vsbp44n9fdtoZ nginx-1.14.0]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.14.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module