The way to upgrade to https? A script to help you get it, and forever cost-free. Txt

Now several webmasters will consider upgrading their web page from http to https, not just for safety motives, but in addition due to the limitations of third-party platforms, like Google Chrome will mark http internet sites as unsafe sites, WeChat platform WeChat applets that demand access have to use https, and so forth.

The way to upgrade an http website to an https site?

The difference among http and https For the security of data transmission, https adds the ssl protocol on the basis of http. The ssl protocol relies on certificates to confirm the identity of the server and encrypt the communication amongst the browser and the server. To upgrade http to https, you only ought to add a CA certificate towards the http web site.

You will find currently two solutions to obtain a CA certificate:

Obtain a paid CA certificate to acquire a no cost certificate. CA service providers sell at no cost. Alibaba Cloud, Tencent Cloud, and so forth.

The paid certificate is not inexpensive. In the official internet site of Alibaba Cloud, its cost can variety from a number of thousand yuan to tens of a huge number of yuan.

This can be a big expense for compact company platforms as well as individual websites.

Letsencrypt can be a totally free, automated, and open certificate authority. The certificates issued by it are valid for 3 months at a time, but provided that they will be continuously updated, they can fundamentally be applied permanently.

The script acme.sh recommended nowadays implements the acme protocol and can allow you to constantly and automatically update the CA certificate from Letsencrypt. The download address is as follows:

https://github.com/Neilpang/acme.sh Installing acme.sh Installing acme.sh is extremely very simple, just 1 command:

curlhttps://get.acme.sh|sh ordinary users and root users could be installed and utilised. The installation process took the following steps:

1. Install acme.sh to your residence directory:

~/.acme.sh/ and generate a bash alias for your comfort: aliasacme.sh=~/.acme.sh/acme.sh

2. Automatically generate cronjob for you, automatically detect all certificates at 0:00 everyday. If it's about to expire and needs to be updated, the certificate is going to be automatically updated. The installation approach will not pollute any functions and files from the existing method. All modifications are restricted towards the installation directory: ~/.acme.sh/

Producing a certificate acme.sh implements all the verification protocols supported by the acme protocol. There are generally how to recover pen drive data of verification: http and dns verification.

1. The http process must spot a file within the root directory of one's web page to verify the ownership of the domain name, complete the verification, and then you are able to generate a certificate.

acme.sh--issue-dmydomain.com-dwww.mydomain.com--webroot/home/wwwroot/mydomain.com/acme.sh will automatically produce verification files and place them inside the root directory of your website, and after that total automatically verification. Lastly, the verification file might be deleted wisely without any negative effects.

For those who are utilizing an apache server, acme.sh may also automatically full verification from the apache configuration automatically. You don't should specify the root directory on the site:

acme.sh--issue-dmydomain.com--apache If you are employing nginx server, or reverse generation, acme.sh also can automatically full the verification in the nginx configuration, you do not should specify the root directory in the web page:

acme.sh--issue-dmydomain.com--nginx Note: No matter whether in apache or nginx mode, soon after completing verification, acme.sh will return towards the previous state, and will not change your very own configuration without permission. The benefit is the fact that you do not need to be concerned regarding the configuration being broken, but there is also a disadvantage. You need to configure the ssl configuration your self, otherwise, it is possible to only successfully generate the certificate, as well as your web page nonetheless cannot access https. But for security, you should manually alter the configuration yourself.

When you haven't run any internet services and port 80 is absolutely free, then acme.sh can pretend to be a webserver and listen on port 80 temporarily to complete verification:

acme.sh--issue-dmydomain.com--standalone2, dns mode, add a txt analysis record for the domain name to verify the domain name ownership.

The advantage of this process is that you don't will need any server and no public network ip, only need dns parsing record to finish the verification. On the other hand, the disadvantage is the fact that if AutomaticDNSAPI is not configured at the very same time, acme.sh will not be able to automatically update the certificate in this way, and every single time you have to manually re-parse and confirm the domain name ownership again.

acme.sh--issue--dns-dmydomain.com Then, acme.sh will generate the corresponding resolution record and display it, you only ought to add this txt record inside your domain name management panel.

Immediately after waiting for the evaluation to finish, regenerate the certificate:

acme.sh--renew-dmydomain.com Note: The second time I applied --renew

The true power with the dns system is that you can make use of the API supplied by the domain name resolver to automatically add txt records to finish the verification.

acme.sh at the moment supports the automatic integration of dozens of resolvers such as cloudflare, dnspod, cloudxns, godaddy and ovh.

Copy/install the certificate Immediately after the preceding certificate is generated, the subsequent step is to copy the certificate to where it is truly needed.

Note: The certificates generated by default are placed within the installation directory: ~/.acme.sh/, please don't directly make use of the files in this directory. For instance, don't let the nginx/apache configuration file use the following files directly. The files inside are applied internally, and also the directory structure may well transform.

The right technique would be to make use of the --installcert command and specify the target location, and then the certificate file is going to be copied for the corresponding place, for instance:

acme.sh--installcert-ddomain.com\\

--key-file/etc/nginx/ssl/domain.key\\

--fullchain-file/etc/nginx/ssl/fullchain.cer\\

--reloadcmd'servicenginxforce-reload'

As a compact reminder, servicenginxforce-reload is used here, not servicenginxreload. In accordance with tests, reload will not reload the certificate, so force-reload is applied.

Nginx configuration ssl_certificate utilizes /etc/nginx/ssl/fullchain.cer instead of /etc/nginx/ssl/domain.cer, otherwise SSLLabs test will report ChainissuesIncomplete error.

The --installcert command can carry a lot of parameters to specify the target file. And also you can specify reloadcmd. When the certificate is updated, reloadcmd is going to be automatically known as to make the server take effect.

It is worth noting that all the parameters specified here are going to be automatically recorded and will be automatically known as once more after the certificate is automatically updated within the future.

Renew the certificate. The certificate is going to be renewed automatically following 60 days. You don't need to do anything. Inside the future, this time might be shortened, nevertheless it is automatic, you do not must care.

Updating acme.sh At present, acme protocol and LetsencryptCA are updated regularly, so acme.sh can also be updated frequently to retain synchronization.

Upgrade acme.sh towards the most up-to-date version:

acme.sh--upgrade Should you never desire to upgrade manually, you could allow automatic upgrade:

Following acme.sh--upgrade--auto-upgrade, acme.sh will automatically preserve updated.

You are able to also turn off automatic updates at any time:

acme.sh--upgrade--auto-upgrade06. What to perform if some thing goes incorrect: if something goes wrong, please add debuglog:

acme.sh--issue.....--debug or:

acme.sh--issue.....--debug2 Ultimately, retrieve flash drive data will not be a total instruction, and you will discover lots of sophisticated attributes. For extra advanced usage, please refer to other wiki pages.

https://github.com/Neilpang/acme.sh/wiki