The domain name "jeasonlau.xyz" that I bought from GoDaddy last year is about to expire. However, I am currently unable to afford the renewal due to financial constraints. Therefore, I am considering migrating the website to the domain name "allwens.work".
Currently, the services under the domain name "jeasonlau.xyz" include my Ma Yuan Mao Gai brush tool, RSSHub for subscribing to RSS feeds, and my personal Cloudreve cloud storage. If I decide to migrate, I plan to host them under different subdomains. So, I thought of trying to apply for a free wildcard certificate to see if it is possible. Surprisingly, I found a tutorial on how to do it.
Following the tutorial, the entire process took only ten minutes and was very convenient. This article mainly documents the application process. 😆
Installing acme.sh
Let's Encrypt provides a series of documentation on various application methods, but the process is quite complex. We will use a third-party tool called acme.sh to simplify the application process.
First, install acme.sh:
curl https://get.acme.sh | sh
The script performs the following operations:
- Installs
acme.shto~/.acme.sh/ - Creates an alias
acme.sh = ~/.acme.sh/acme.sh, which has a similar effect to installing it in the environment variable - Automatically creates a
cronjobscript to check the certificate every day and automatically update it if it is about to expire.
Using DNS-API for Certificate Validation
Referring to the acme.sh documentation, we can see that there are many ways to validate domain names and obtain certificates. Since my server is not registered, the web-based methods are not very convenient to use. In the end, I chose to use DNS-API for validation.
DNS validation refers to verifying domain ownership by adding a specified txt record to the DNS resolution of your domain. DNS-API automatically adds and deletes txt records using the API provided by the DNS provider, achieving automatic validation.
Different providers require different API keys. You can click here to view detailed tutorials. Here, I will use Alibaba Cloud as an example.
-
First, obtain the
AccessKey IDandAccessKey Secretfrom the API management of your Alibaba Cloud account. -
Execute the following command on the server:
export Ali_Key=AccessKey ID export Ali_Secret=AccessKey Secret -
Run the following command to obtain the certificate (using
allwens.workas an example):acme.sh --issue --dns dns_ali -d allwens.work -d *.allwens.workAfter completion, the certificate files will be stored in
~/.acme.sh/allwens.work, andacme.shwill automatically update the certificates in this folder.I am currently not sure if an API is required for updates, so for safety, I added the command to create environment variables in step 2 to
~/.zshrc.
Using the Certificate in a Web Server
Because I found the original path name too long, I first created a cert folder under /etc and created a symbolic link:
This step can be skipped. I just wanted to make the path shorter 🤣
sudo mkdir /etc/cert
cd /etc/cert
ln -s ~/.acme.sh/allwens.work/allwens.work.cer ./
ln -s ~/.acme.sh/allwens.work/allwens.work.key ./
Then, open the configuration file of the web server (using nginx as an example) and find the Server block where the certificate needs to be used:
# Cloudreve
server {
server_name drive.allwens.work;
location / {
proxy_pass http://localhost:5212;
}
client_max_body_size 30g;
error_page 497 =301 https://$http_host$request_uri;
listen 10000;
# Add the following content
ssl on;
ssl_certificate /etc/cert/allwens.work.cer;
ssl_certificate_key /etc/cert/allwens.work.key;
Finally, reload the nginx configuration file:
nginx -s reload