banner
amtoaer

晓风残月

竹杖芒鞋轻胜马,谁怕?一蓑烟雨任平生。
github
x
telegram
steam
nintendo switch
email

Get a free Let's Encrypt wildcard certificate.

The domain name jeasonlau.xyz that I bought from GoDaddy last year is about to expire. However, recently I have been tight on budget and cannot afford to renew it. Therefore, I am considering migrating my website to the domain name allwens.work.

Currently, the services under the domain name jeasonlau.xyz mainly include my Marxist political theory and Mao Zedong Thought question brushing tool, RSSHub for subscribing to RSS feeds, and my personal cloud storage Cloudreve. If I migrate, I plan to host them under different subdomains. So, I thought of trying to apply for a free wildcard certificate and actually found a tutorial.

Following the tutorial, the whole process took less than ten minutes and was very convenient. This article mainly records the application process. 😆

Installing acme.sh#

Let's Encrypt provides a series of application method documents, but the process is quite complex. We will use a third-party tool called acme.sh to simplify the application process.

First, install acme.sh:

curl  https://get.acme.sh | sh

The script performs the following operations:

  • Installs acme.sh to ~/.acme.sh/;
  • Creates an alias acme.sh = ~/.acme.sh/acme.sh, achieving a similar effect to installing it in the environment variable;
  • Automatically creates a cronjob script to automatically check the certificate every day and update it if it is about to expire.

Using DNS-API to Verify and Obtain the Certificate#

Referring to the acme.sh documentation, we can find that there are many ways to verify the domain name to obtain the certificate. Since my server is not registered, the several web-based methods are not very convenient to use. In the end, I chose to use DNS-API for verification.

DNS verification refers to adding a specified txt record to the DNS resolution of your domain name to verify your ownership of the domain name. DNS-API automatically adds and deletes txt records using the API provided by the DNS provider to achieve automatic verification.

Different providers require different API keys. You can click here to view detailed tutorials. Here, I will use Alibaba Cloud as an example.

  1. First, obtain the AccessKey ID and AccessKey Secret from the API Management page of your Alibaba Cloud account.

  2. Execute the following command on the server:

    export Ali_Key=AccessKey ID
    export Ali_Secret=AccessKey Secret
    
  3. Run the following command to obtain the certificate (using allwens.work as an example):

    acme.sh --issue --dns dns_ali -d allwens.work -d *.allwens.work
    

    After completion, the certificate files will be stored in ~/.acme.sh/allwens.work, and acme.sh will automatically update the certificates in this folder.

    I am currently unsure if an API is required for updates, so for safety, I have also added the command to create environment variables in ~/.zshrc.

Using the Certificate in a Web Server#

Because I found the original path name too long, I first created a cert folder under /etc and created a symbolic link:

This step can be skipped. I just wanted to make the path shorter 🤣

sudo mkdir /etc/cert
cd /etc/cert
ln -s ~/.acme.sh/allwens.work/allwens.work.cer ./
ln -s ~/.acme.sh/allwens.work/allwens.work.key ./

Then, open the configuration file of the web server (using nginx as an example) and find the Server block where the certificate needs to be used:

# Cloudreve
server {
        server_name drive.allwens.work;
        location / {
                proxy_pass http://localhost:5212;
        }
        client_max_body_size 30g;
        error_page 497 =301 https://$http_host$request_uri;
        listen 10000;
        # Add the following content
        ssl on;
        ssl_certificate /etc/cert/allwens.work.cer;
        ssl_certificate_key /etc/cert/allwens.work.key;

Finally, reload the nginx configuration file:

nginx -s reload
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.