Most of the notes come from Tencent cloud document: SSL certificate

Why use HTTPS

It is well known that HTTP is not a secure protocol. Most of the content is transmitted in plaintext. Once intercepted, the information will be directly leaked.

HTTPS -> S = SSL

SSL is the predecessor of Transport Layer Security (TLS) protocol. HTTPS is an addition to HTTP to the SSL protocol, which relies on certificates to verify the identity of the server and encrypt communication between the browser and the server.

Specific process:

The TLS protocol is optional and can be used only after the client and server are configured. There are two main ways to achieve this: one is to use a unified TLS protocol port (for example, 443 for HTTPS); Another is the use of a specific protocol mechanism (for example, STARTTLS, commonly used in email) when the client requests the server to connect to TLS. Once the client and server agree to use the TLS protocol, they negotiate a stateful connection to transfer data by using a handshake process [1]. Through a handshake, the client and server negotiate various parameters for creating a secure connection:

  1. When a client connects to a server that supports TLS and requires a secure connection to be created, the handshake begins when supported password packets (including encryption algorithms, hash algorithms, etc.) are listed.
  2. The server determines the password package from this list and notifies the client.
  3. The server sends back its digital certificate, which typically contains the server’s name, a trusted certificate Authority (CA), and the server’s public key.
  4. The client verifies the validity of the certificate it issued.
  5. To generate a session key for a secure connection, the client encrypts the randomly generated key using the server’s public key and sends it to the server, which only can decrypt it using its own private key.
  6. Using random numbers, both parties generate symmetric keys for encryption and decryption. This is the TLS handshake, after which the connection is secure until closed. If any of the above steps fail, the TLS handshake process fails and all connections are disconnected.

Transport layer security protocols

How do I obtain an SSL certificate

Tencent cloud provides you to apply for/purchase certificates on your behalf. Not all certificates are paid. If you only need to apply for a certificate for a level 3 domain name, DV free certificate is ok.

It seems that DV was once only available for tier 3 domains, but now it is also available for tier 2 domains for free DV

For details about how to apply for a domain name (DV) free SSL certificate, see

Configure SSL

Tencent cloud now provides one-button configuration certificate, but I think it’s fun to try it yourself.

Download the certificate

After the certificate is issued, choose Tencent Cloud >SSL Certificate > My Certificate > Issued > Certificate Details to download the certificate. Decompress the certificate and locate the Apache folder based on the server type.

Upload the certificate

CRT certificate file, 2_< your domain name >. CRT certificate file, and 3_< your domain name >. Key private key file.

Check whether the /etc/httpd/ssl directory exists on the server. If no, run the mkdir /etc/httpd/ssl command to create the directory.

Copy the file from the local directory to the /etc/httpd/ssl directory on the Apache server.

Mac can run the SCP -r command to upload folders.

scp -r Apache <username>@hostname:/etc/httpd/ssl
Copy the code

Logging In to the Server

Use SSH to log in. If you are brave, use root account directly.

ssh <username>@hostname
Copy the code

By the way, I don’t know why port 22 keeps getting brute force login, so I have to use the security group to block 22, and then unlock. A better solution seems to be to change the default SSH port, and that will happen in the future!

Modifying a Configuration File

Large section operation warning

#Conf configuration file in /etc/httpd/conf, check whether the setting is commented, and uncomment it if it is

Include conf.modules.d/*.conf


#The/etc/HTTPD/conf. Modules. D 00 - SSL in the directory. The conf configuration files, check whether the setting is commented, if there are cancelled
#This setting is used to load the SSL module

LoadModule ssl_module modules/mod_ssl.so


#If the preceding two files and directories cannot be found, check whether the mod_SSL. so module is installed.
#If the mod_SSL. so module is not installed

yum install mod_ssl 
Copy the code

Edit the ssl.conf configuration file in /etc/httpd/conf.d and replace the domain name

<VirtualHost 0.0.0.0:443>DocumentRoot "/var/www/html" # Fill in the certificate name ServerName < your domain name SSLCertificateKeyFile SSLCertificateKeyFile SSLCertificateKeyFile SSLCertificateChainFile SSLCertificateChainFile  /etc/httpd/ssl/1_root_bundle.crt</VirtualHost>

Copy the code

Restart Apache immediately

The commands for operating Apache vary from system to system. Centos is as follows

Start apache service HTTPD start apache service HTTPD stopCopy the code

HTTP automatically jumps to HTTPS

You can redirect all HTTP access to HTTPS to prevent insecure access.

#Edit the httpd.conf configuration file in the /etc/httpd/conf directory to check whether it is commented
#If httpd.conf does not have this configuration, go to the next step
LoadModule rewrite_module modules/mod_rewrite.so

#If httpd.conf is not configured
#In the/etc/HTTPD/conf. Modules. D to create a new *. The conf file
#Such as 00 - rewrite. Conf
LoadModule rewrite_module modules/mod_rewrite.so
Copy the code



<Directory "/var/www/html">RewriteEngine on RewriteCond %{SERVER_PORT}! ^443$ RewriteRule ^(.*)? $ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]</Directory>

Copy the code

Restart Apache and the setup is complete!