The domain name "jeasonlau.xyz" that I bought from GoDaddy last year is about to expire. However, I am currently unable to afford the renewal due to financial constraints. Therefore, I am considering migrating the website to the domain name "allwens.work".
Currently, the services under the domain name "jeasonlau.xyz" include my Ma Yuan Mao Gai brush tool, RSSHub for subscribing to RSS feeds, and my personal Cloudreve cloud storage. If I decide to migrate, I plan to host them under different subdomains. So, I thought of trying to apply for a free wildcard certificate to see if it is possible. Surprisingly, I found a tutorial on how to do it.
Following the tutorial, the entire process took only ten minutes and was very convenient. This article mainly documents the application process. 😆
Installing acme.sh
Let's Encrypt provides a series of documentation on various application methods, but the process is quite complex. We will use a third-party tool called acme.sh
to simplify the application process.
First, install acme.sh
:
curl https://get.acme.sh | sh
The script performs the following operations:
- Installs
acme.sh
to~/.acme.sh/
- Creates an alias
acme.sh = ~/.acme.sh/acme.sh
, which has a similar effect to installing it in the environment variable - Automatically creates a
cronjob
script to check the certificate every day and automatically update it if it is about to expire.
Using DNS-API
for Certificate Validation
Referring to the acme.sh documentation, we can see that there are many ways to validate domain names and obtain certificates. Since my server is not registered, the web-based methods are not very convenient to use. In the end, I chose to use DNS-API
for validation.
DNS validation refers to verifying domain ownership by adding a specified txt
record to the DNS resolution of your domain. DNS-API
automatically adds and deletes txt
records using the API provided by the DNS provider, achieving automatic validation.
Different providers require different API keys
. You can click here to view detailed tutorials. Here, I will use Alibaba Cloud as an example.
-
First, obtain the
AccessKey ID
andAccessKey Secret
from the API management of your Alibaba Cloud account. -
Execute the following command on the server:
export Ali_Key=AccessKey ID export Ali_Secret=AccessKey Secret
-
Run the following command to obtain the certificate (using
allwens.work
as an example):acme.sh --issue --dns dns_ali -d allwens.work -d *.allwens.work
After completion, the certificate files will be stored in
~/.acme.sh/allwens.work
, andacme.sh
will automatically update the certificates in this folder.I am currently not sure if an API is required for updates, so for safety, I added the command to create environment variables in step 2 to
~/.zshrc
.
Using the Certificate in a Web Server
Because I found the original path name too long, I first created a cert
folder under /etc
and created a symbolic link:
This step can be skipped. I just wanted to make the path shorter 🤣
sudo mkdir /etc/cert
cd /etc/cert
ln -s ~/.acme.sh/allwens.work/allwens.work.cer ./
ln -s ~/.acme.sh/allwens.work/allwens.work.key ./
Then, open the configuration file of the web server (using nginx
as an example) and find the Server
block where the certificate needs to be used:
# Cloudreve
server {
server_name drive.allwens.work;
location / {
proxy_pass http://localhost:5212;
}
client_max_body_size 30g;
error_page 497 =301 https://$http_host$request_uri;
listen 10000;
# Add the following content
ssl on;
ssl_certificate /etc/cert/allwens.work.cer;
ssl_certificate_key /etc/cert/allwens.work.key;
Finally, reload the nginx
configuration file:
nginx -s reload