004-zero failure quick fix wildcard SSL certificate

This is the fourth article in the Stick to technical Writing Project (including translation). Set a small goal of 999, at least 2 articles per week.

For the past few years, we’ve been advocating HTTPS for sites to improve their security. Last year, we also helped users by marking larger HTTP pages as’ unsafe. ‘ But starting in July 2018, with the release of Chrome 68, browsers will mark all HTTP sites as’ unsafe. ‘ From chrome 68 release notes

More and more sites are moving to HTTPS, thanks to the campaign to wipe out HTTP by Google and others and the efforts of the nonprofit Let’s Encrypt. Here are some statistics from Let’s Encrypt

What is Let’s Encrypt

When deploying HTTPS websites, a certificate is required and issued by the CA. Most traditional CA organizations charge for issuing certificates, which is not conducive to promoting HTTPS.

Let’s Encrypt is a non-profit CA certificate organization that aims to automate the process of creating and installing certificates manually, and promote ubiquitous encrypted connections to world Wide Web servers to provide free SSL/TLS certificates for secure web sites.

It is hosted by the Linux Foundation and sponsored by many major Internet companies at home and abroad. At present, all mainstream browsers trust the certificates issued by Let’s Encrypt.

Note that Let’s Encrypt issues DV certificates and does not provide OV,EV certificates.

This article focuses on how to issue wildcard certificates using Let’s Encrypt.

Wildcard certificate

A wildcard SSL certificate is designed to protect the primary domain name and an unlimited number of subdomains. That is, a user can use a single wildcard SSL certificate to protect any number of subdomains. If a user has multiple subdomain platforms, these subdomains can be protected with wildcard SSL certificates.

However, Let’s Encrypt currently supports only sibling subdomain wildcards. For example, *. Demo.com supports only xx.demo.com and does not support xx.xx.demo.com. To support secondary wildcard certificates, you need to issue secondary wildcard certificates similar to *. Level 1 domain names are fixed, meaning *.*. Demo.com is not supported

useacme.shSimplify certificate issuing operations

Certbot was officially recommended, but for a long time Certbot did not support wildcards (it now does) and certificate auto-renewal support was not good either. And it’s a hassle to operate.

The installationacme.sh

$ curl https://get.acme.sh | sh
# or
$ wget -O -  https://get.acme.sh | sh
# or
$ git clone https://github.com/Neilpang/acme.sh.git
$ ./acme.sh/acme.sh --install
Copy the code

The DNS Api issues wildcard certificates

The acme.sh function is very powerful. This section describes how to automatically issue wildcard certificates using the Dns Api. Currently supports 60 DNS providers including Alibaba and DNSPod (see Currently Acme.sh supports)

If your DNS provider does not provide API or does not currently support acme.sh, or you do not want to expose API permissions for important domain names to acme.sh for security reasons, you can apply for a test domain name and set CNAME on the important domain name (see DNS Alias Mode).

Assuming that your domain name is hosted by DNSPod, log in to the background of DNSPod and open user Center -> Security Settings -> API Token-> View -> Create API Token-> Enter any Token name -> OK -> Save ID and Token value (the coding part in the picture)

$ export DP_Id="Your ID"
$ export DP_Key="Your Token"
$ acme.sh --issue --dns dns_dp -d example.com -d *.example.com
Add --challenge-alias if DNS alias is used
In case DNS does not take effect, the script will pause for 2 minutes and Sleep 120 seconds for the TXT records to take effect
# Cert Success
# is not recommended to use ~ / directly. Acme. Certificate under sh, refer to https://github.com/Neilpang/acme.sh/wiki/ # 3 - copy install - certificate
Copy to the specified directory using --installcert
$ acme.sh --installcert  \
				-d  example.com -d *.example.com \
        --key-file /etc/letsencrypt/live/example.com/privkey.pem \
        --fullchain-file /etc/letsencrypt/live/example.com/fullchain.pem \
        --reloadcmd  "service nginx reload"
Copy the code

Optimizing HTTPS Configuration

This article uses Nginx generated by Mozilla SSL Configuration Generator as an example, which can also generate Apache and IIS

server { listen 80 default_server; listen [::]:80 default_server; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # openssl dhparam -out /etc/letsencrypt/live/example.com/ 2048 ssl_dhparam /etc/letsencrypt/live/example.com/dhparam.pem; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECD HE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-A ES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES 256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DH E-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA38 4:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:! DSS'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; resolver <IP DNS resolver>; . }Copy the code

Check HTTPS score

Visit www.ssllabs.com/ssltest/ to submit your domain name and score

The resources

• Chrome will no longer mark HTTPS pages as secure sites
• Let’s Encrypt Stats
• About Let’s Encrypt
• Mozilla SSL Configuration Generator
• The main differences between DV, OV and EV certificates
• Neilpang/acme.sh#Wiki# installation instructions
• Neilpang/acme.sh#Wiki#How to Install
• Neilpang/acme.sh#Wiki#How to use DNS API

Want ads

Friends in Jinan, Shandong, welcome to join us and do things together.

Long-term recruitment, Java programmer, big data engineer, operation and maintenance engineer, front-end engineer.