Why do you want to do a site-wide HTTPS upgrade?
security
Plaintext transfer relative to the HTTP protocol, transmission is encrypted HTTPS, can prevent the data during transmission by hackers malicious tampering and theft, effectively prevent the man-in-the-middle attack (this product in November had a man-in-the-middle attack by hackers, the web page is inserted some illegal content, leading to the access speed as the tortoise climb. Therefore, I made up my mind to upgrade HTTPS.
Higher SEO included ranking
HTTPS provides higher ranking for websites that access HTTPS
Prevent error warning
If a new version of Chrome finds that a website does not support THE HTTPS protocol, the word “unsafe” is displayed in the upper right corner and the message “Do not enter any sensitive information on this website” is displayed, which negatively affects users’ trust
What is the relationship between HTTPS and HTTP?
- HTTPS is constructed using the SSL and HTTP protocols. HTTPS adds an encryption layer based on SSL to the HTTP communication protocol
- To access HTTPS, you must apply to create an SSL certificate and store it on the server. SSL certificates are issued by a trusted digital certificate Authority (CA). Note that SSL certificates are valid for three months to a year
- HTTP is enabled by default
80The HTTPS protocol is enabled by default443Ports (this is important to remember!)
Why do you choose a generic domain certificate rather than another type of certificate?
SSL certificates are classified into single-domain name certificates, multi-domain name certificates, and pan-domain name certificates:
Single domain certificate:
A single domain certificate can only protect itself. For example, an msh.com certificate can only protect itself, but cannot protect subdomain names under it, for example, b.msh.com. C.msh.com cannot be protected. Disadvantages: As shown above, this means that every time I add a subdomain, I need to regenerate the SSL certificate corresponding to that subdomain
Multi-domain certificate:
A certificate can protect multiple specified domain names. For example, a multi-domain certificate can protect both the specified msh.com and the specified B.msh.com and c.msh.com, or the equivalent of nsh.com
Cons: Although I can specify multiple domains, the problem is that I don’t know what subdomains I will add in the future. That means I’ll probably have to regenerate it again by then. Personally, multi – domain certificate is a bit of chicken rib.
Generic Domain certificate:
A *.msh.com certificate protects the msh.com domain name and all its sub-domains such as B.msh.com and c.msh.com
Advantages: as shown above, it also means that I can once and for all, once the generic domain certificate is generated, it can be applied to all the sub-domains under the domain name certificate. Therefore, the generic domain certificate is the most practical of the three types of certificates.
Note: this certificate does not protect the next level of abc.test.msh.com. If you want to protect abc.test.msh.com, you need to apply for a *.test.msh.com certificate.)
Four, choose paid certificate or free certificate?
SSL certificates are classified into paid and free certificates.
Payment type:
Issued by Symantec or GeoTrust for higher security. In addition, agencies can offer hundreds of thousands or even tens of millions of dollars in compensation for security incidents involving their certificates. Of course, the cost is more expensive certificate, a single domain name certificate 5000 RMB a year, a generic domain name certificate 40000 RMB a year, equal to the cost of a year server lease. So poor people please go around this road.
Free type:
Issued by digital certificate authority such as Let’s Encrypt, free forever. It is free and has high browser compatibility and security. More importantly, in January 2018, Let’s Encrypt will officially launch a pan-domain certificate.
Conclusion: From the scope of application, it is obvious that choosing the universal domain certificate is the best solution. However, for small and medium sized Internet companies with strict cost control (Qiong BI), it is the best solution to generate their own pan-domain certificate based on Let’s Encrypt.
Five, why to passacme.shGenerate a generic domain certificate instead of the other way around?
You can use Letsencrypt to generate a certificate in the following ways:
FreeSSL.org
You can visit the official website of FreeSSL.org to generate the certificate online. The drawback is that the number of certificates under the same master domain name is limited, usually 20, which is far from enough for normal use. Moreover, you need to manually replace the certificate when it expires. Therefore too chicken ribs
Certbot
You can install and then generate certificates on the server, but it’s not nearly as automated as acme.sh
acme.sh
His advantages can be explained in two sentences
- Installation is simple, one command
- High degree of automation, support automatic DNS verification, automatic certificate update
The next article will cover the generation of free generic domain certificates from Letsencrypt based on acme.sh
series
HTTPS upgrade series (1) popular science work before the upgrade
Site-wide HTTPS upgrade Series (2) Generate a free universal domain certificate from Letsencrypt based on acme.sh
Site-wide HTTPS upgrade series (3) Nginx configures site-wide HTTPS
Whole site HTTPS upgrade series (4) Project code upgrade