banner
amtoaer

晓风残月

竹杖芒鞋轻胜马,谁怕?一蓑烟雨任平生。
github
x
telegram
steam
nintendo switch
email

Get a free Let's Encrypt wildcard certificate.

The domain name "jeasonlau.xyz" that I bought from GoDaddy last year is about to expire. However, I am currently unable to afford the renewal due to financial constraints. Therefore, I am considering migrating the website to the domain name "allwens.work".

Currently, the services under the domain name "jeasonlau.xyz" include my Ma Yuan Mao Gai brush tool, RSSHub for subscribing to RSS feeds, and my personal Cloudreve cloud storage. If I decide to migrate, I plan to host them under different subdomains. So, I thought of trying to apply for a free wildcard certificate to see if it is possible. Surprisingly, I found a tutorial on how to do it.

Following the tutorial, the entire process took only ten minutes and was very convenient. This article mainly documents the application process. 😆

Installing acme.sh

Let's Encrypt provides a series of documentation on various application methods, but the process is quite complex. We will use a third-party tool called acme.sh to simplify the application process.

First, install acme.sh:

curl  https://get.acme.sh | sh

The script performs the following operations:

  • Installs acme.sh to ~/.acme.sh/
  • Creates an alias acme.sh = ~/.acme.sh/acme.sh, which has a similar effect to installing it in the environment variable
  • Automatically creates a cronjob script to check the certificate every day and automatically update it if it is about to expire.

Using DNS-API for Certificate Validation

Referring to the acme.sh documentation, we can see that there are many ways to validate domain names and obtain certificates. Since my server is not registered, the web-based methods are not very convenient to use. In the end, I chose to use DNS-API for validation.

DNS validation refers to verifying domain ownership by adding a specified txt record to the DNS resolution of your domain. DNS-API automatically adds and deletes txt records using the API provided by the DNS provider, achieving automatic validation.

Different providers require different API keys. You can click here to view detailed tutorials. Here, I will use Alibaba Cloud as an example.

  1. First, obtain the AccessKey ID and AccessKey Secret from the API management of your Alibaba Cloud account.

  2. Execute the following command on the server:

    export Ali_Key=AccessKey ID
    export Ali_Secret=AccessKey Secret
    
  3. Run the following command to obtain the certificate (using allwens.work as an example):

    acme.sh --issue --dns dns_ali -d allwens.work -d *.allwens.work
    

    After completion, the certificate files will be stored in ~/.acme.sh/allwens.work, and acme.sh will automatically update the certificates in this folder.

    I am currently not sure if an API is required for updates, so for safety, I added the command to create environment variables in step 2 to ~/.zshrc.

Using the Certificate in a Web Server

Because I found the original path name too long, I first created a cert folder under /etc and created a symbolic link:

This step can be skipped. I just wanted to make the path shorter 🤣

sudo mkdir /etc/cert
cd /etc/cert
ln -s ~/.acme.sh/allwens.work/allwens.work.cer ./
ln -s ~/.acme.sh/allwens.work/allwens.work.key ./

Then, open the configuration file of the web server (using nginx as an example) and find the Server block where the certificate needs to be used:

# Cloudreve
server {
        server_name drive.allwens.work;
        location / {
                proxy_pass http://localhost:5212;
        }
        client_max_body_size 30g;
        error_page 497 =301 https://$http_host$request_uri;
        listen 10000;
        # Add the following content
        ssl on;
        ssl_certificate /etc/cert/allwens.work.cer;
        ssl_certificate_key /etc/cert/allwens.work.key;

Finally, reload the nginx configuration file:

nginx -s reload
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.