The relevant knowledge

What is HTTP/HTTPS?

To put it simply, HTTP is a protocol for transmitting web content. For example, when we browse a web page, the text, pictures, CSS, JS and other files on the web page are transmitted to our browser through HTTP protocol and then seen by us. Because HTTP is in plain text, content transmitted over HTTP can be easily accessed and tampered with, for security purposes (you don’t want to be accessed or tampered with, say, your web bank password). Add a layer of SSL/TLS to HTTP, and you have HTTPS.

What is SSL/TLS?

SSL stands for Secure Sockets Layer, or “HTTP with a condom,” if you’re innocent, because you’re wearing a condom, so of course you’re safer. TLS is a Transport Layer Security protocol. SSL and TLS are phases of the same thing.

Why deploy HTTPS?

The bottom line is that HTTPS is more secure. Even to secure a professional and reliable website, HTTPS is a must. Firefox and Chrome both plan to flag HTTP sites as unsafe if they don’t have SSL encryption, and they’re also working with other foundations and companies to push for the entire Internet to HTTPS some of the major sites that people now visit. For example, Google has all enabled HTTPS many years ago, and Domestic Taobao, Sogou, Zhihu, Baidu and so on are also comprehensive HTTPS. Even Google and Baidu search results are giving HTTPS sites higher rankings and preferential inclusion.

How do I deploy HTTPS?

You only need to have an SSL security Certificate issued by a trusted CA (Certificate Authority) and deploy it on your website server. Once deployed, when a user visits your site, the browser will place a small green lock in front of the url to indicate that the site is secure, and you will also see the url prefix change to HTTPS instead of HTTP.

How do I get an SSL certificate?

In theory, we can issue SSL certificates ourselves, but our own security certificates will not be trusted by mainstream browsers, so we need a security certificate issued by a trusted certificate Authority (CA). SSL certificate issuing services, such as Godaddy and GlobalSign, cost $20 a year or more. However, in order to accelerate the adoption of HTTPS, The EEF Electronic Outpost Foundation, the Mozilla Foundation and the University of Michigan have established a non-profit organization called ISRG (Internet Security Research Group). The organization has been offering the Let’s Encrypt free certificate since 2015. This free certificate is not only free, but it’s also fairly useful, so you can deploy HTTPS using the free certificate provided by Let’s Encrypt.

Let ‘s Encrypt profile

As mentioned earlier, Let’s Encrypt is a free Security certificate program provided by ISRG (Internet Security Research Group). The organizations and companies involved in the project are some of the most important pioneers of Top Internet. In addition to the three boozy founders, cisco, Akamai, and even the Linux Foundation have joined in. The participation of these big-name organizations ensures the credibility and sustainability of the project.

Certbot profile

EFF (Electronic Outpost Foundation), the initiator of ISRG, has released an official client Certbot for the Let’s Encrypt project, which fully automates the acquisition, deployment, and updating of security certificates. Although third-party tools can also be used, official tools are more authoritative, less risky, and easier to solve problems because of official support.

The actual operation

How to use Certbot

The official website of Certbot is certbot.eff.org/. We open this link and select the Web server and operating system we use. After the selection, the official website will display the corresponding installation steps. Take the current server I use as an example. The Web server uses Nginx(1.12) and CentOS(7.3). Because Certbot is packaged in EPEL, EPEL is installed before Certbot is installed

yum -y install epel-release
Copy the code

Then follow the instructions on the official website to install Certbot

yum install python2-certbot-nginx
Copy the code

After the installation is complete, continue to enter the official website prompt command

certbot --nginx
Copy the code

Running this command will automatically obtain the certificate, and Certbot will automatically edit the Nginx configuration file to configure the HTTPS service.

A pit was encountered when running the configuration command

ImportError: No module named 'requests.packages.urllib3'
Copy the code

Certbot is using Python to write the Nginx configuration. Since you are using Python, you can view the list of Python dependencies through the PIP list command. But viewing was already there, and the question was quickly answered via Certbot in an Issues post on Github (Issues link). Currently, it appears that the package version dependency problem, run the following command to reinstall the dependency package

pip uninstall requests
pip uninstall urllib3
yum remove python-urllib3
yum remove python-requests
yum install python-urllib3
yum install python-requests
yum install certbot
Copy the code

The certbot –nginx command was executed successfully. After the command is executed, you are prompted to enter an email address to subscribe to some notifications. Enter the email address and press Enter.

[root@izuf6fco0zwyipdq9485s2z ~]# certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx ▽ Enter email address (used for urgent renewal and security) (Enter 'c' to cancel): [email protected] // Demo mailbox Starting new HTTPS Connection acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Copy the code

Press Enter and Certbot will automatically request to download the Let’s Encrypt certificate and set up the Nginx configuration file. There will be some interaction between agreeing to the relevant protocol and choosing which site to configure, which can be understood from the output text.

. Gree del server {(A)/(C) ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Starting new HTTPS connection (1): supporters.eff.org Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: kisstime.top - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for kisstime.top Cleaning up challenges ...Copy the code

Error: Nginx configuration file: Nginx configuration file: Nginx configuration file: Nginx configuration file: Nginx configuration file

An unexpected error occurred:
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe5 in position 2: ordinal not in range(128)
Please see the logfiles in /var/log/letsencrypt for more details.
Copy the code

Those familiar with Python should be familiar with this error. Still, I don’t use Python very much, so I spent some time getting to know it.

Before you can resolve errors, you need to understand the difference between Unicode and UTF-8. Unicode refers to the universal code, which is a “code list”. Utf-8 is the encoding method for storing the word table. Unicode does not need to be encoded as a BYtecode in UTF-8, but can also be stored in UTF-16, UTF-7, and other formats. Most bytecode is currently converted in UTF-8 mode. Second, Python has two types of strings: Byte string and Unicode String. If you specify utF-8 encoding in a Python file (#coding= UTF-8), then all strings with Chinese characters are considered UTF-8 encoded byte strings (for example: Mystr =” hello “), but the strings generated in the function are considered Unicode Strings. The problem is that unicode strings and Byte strings cannot be mixed, and this error will result if they are mixed. Such as:

self.response.out.write("Hello"+self.request.get("argu"))
Copy the code

Where “hello” is considered a Byte string, and the return value of self.request.get(“argu”) is considered a Unicode String. Since the default decoder is ASCII, The Chinese byte string cannot be recognized. And then I got an error.

After understanding the cause of this error, the first thing THAT comes to my mind is whether the Nginx profile of the site contains Chinese. When I opened it, THERE were indeed Chinese annotations. Delete the comment and run the command again

The command interaction will then prompt you to redirect all HTTP to HTTPS, so I chose “2” for all.

Cleaning up challenges Deploying Certificate to VirtualHost: // Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting All Traffic on Port 80 to SSL in // This shows your website configuration file directory - - - - - - - - - - - - - - - - - - - - - - - - - - - -  - - - - - - - - - - - - Congratulations! You have successfully enabled https://kisstime.top You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=kisstime.top - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: ... /fullchain.pem Your key file has been saved at: ... /privkey.pem Your cert will expire on 2019-02-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-leCopy the code

OK, when the last step is complete, enter the above information to indicate that the HTTPS configuration is successful! We can use the SSL Server Test url in the prompt to Test whether the site can be accessed using HTTPS

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=kisstime.top
Copy the code

As it turned out, rejoicing was premature… Testing the site and directly accessing the domain name to find the site is not accessible. After thinking for a while, I confirm whether port 443 of the server is enabled. I am using the server of Ali Cloud. After logging in to the console to check the security group rules, I find that port 443 is indeed not enabled.

other

Nginx setup instructions

Basically, Certbot will add the following parameters to the corresponding Nginx configuration file:

server {
    #... other configs
    
    # SSL Settings
    listen 443 ssl;

    # set crt and key
    ssl_certificate. /fullchain.pem;ssl_certificate_key. /privkey.pem;# include Basic SSL Settings
    include. /options-ssl-nginx.conf;Certbot also generates a Diffie-Hellman key
    ssl_dhparam. /ssl-dhparams.pem;#... other configs
}
Copy the code

Automatic Certificate Update

Let’s Encrypt free SSL certificate is very convenient to use, but each application is only valid for three months. You need to apply again before each application expires. Certbot already provides one-click renewal commands

certbot renew
Copy the code

We can schedule automatic certificate renewals by adding a cron job (or systemd timer) for this command

SHELL = / bin/bash PATH = / sbin: / bin: / usr/sbin, / usr/bin 0 0, 12 * * * certbot renew - quietCopy the code

Log path of Certbot

The default Certbot log path is /var/log/letsencrypt.

Relevant third Party

Certbot-auto is the encapsulation of the certbot script. You can set the system environment or upgrade the script automatically.

The resources

Newton once said: if I have seen further than others, it is because I have stood on the shoulders of giants. If I have seen further, it is by standing on the shoulders of giants.

  • certbot.eff.org/
  • Linuxstory.org/deploy-lets…
  • Blog.csdn.net/use_my_hear…
  • Blog. Hellojcc. Tw / 2018/05/02 /…

Blog post link

The original link