Overview

Update the default web visit from http to https.

To secure the web visiting connection with trusted SSL encryption.

Free SSL Cert Install

acme.sh

  1. Install Run commands install from web
curl https://get.acme.sh | sh -s email=[email protected]

Create alias for: acme.sh=~/.acme.sh/acme.sh.

Ref Installation Guild: https://github.com/acmesh-official/acme.sh/wiki/How-to-install

  1. Change Default CA to letsencrypt Acme.sh changed the defualt CA to zerossl.

We need to change the default CA to letsencrypt, run the command:

acme.sh --set-default-ca  --server  letsencrypt

Cloudflare API

Using “_acme-challenge” require add TXT DNS record.

Create an API Token on “Profile” -> “API Tokens” for CF_Token.

Edit the permission for DNS editing.

Find CF_Account_ID and CF_Zone_ID from “Site” -> “Overview” page

DO NOT SHARE ANY ID, TOKEN INFORMATION.

Generate Cert

Create a cert.sh script:

#!/bin/bash

# Copy your token and IDs from Cloudflare web
export CF_Token=""
export CF_Email=""
export CF_Account_ID=""
export CF_Zone_ID=""

# issue cert for the domain
~/.acme.sh/acme.sh --issue --nginx -d itomhu.com -d "*.itomhu.com" --dns dns_cf \
--reloadcmd "systemctl reload nginx"

Run ./cert.sh should showing:

......
[Thu Sep 16 09:39:12 UTC 2021] Cert success.
[Thu Sep 16 09:39:12 UTC 2021] Your cert is in: /root/.acme.sh/itomhu.com/itomhu.com.cer
[Thu Sep 16 09:39:12 UTC 2021] Your cert key is in: /root/.acme.sh/itomhu.com/itomhu.com.key
[Thu Sep 16 09:39:12 UTC 2021] The intermediate CA cert is in: /root/.acme.sh/itomhu.com/ca.cer
[Thu Sep 16 09:39:12 UTC 2021] And the full chain certs is there: /root/.acme.sh/itomhu.com/fullchain.cer
[Thu Sep 16 09:39:12 UTC 2021] Run reload cmd: systemctl reload nginx
[Thu Sep 16 09:39:12 UTC 2021] Reload success
[Thu Sep 16 09:39:12 UTC 2021] _on_issue_success
......

Update Nginx Configure

Edit File

Configure file for Proxy Nginx:

root@Web:~# nano /etc/nginx/sites-enabled/default

server {
  listen 80;
  listen [::]:80;

  server_name itomhu.com *.itomhu.com;
  # default http to https
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name itomhu.com *.itomhu.com;

#  root /var/www/html;
#  index index.html index.htm index.nginx-debian.html;

  # Add ssl cert path
  ssl_certificate      /root/.acme.sh/itomhu.com/fullchain.cer;
  ssl_certificate_key  /root/.acme.sh/itomhu.com/itomhu.com.key;

  location / {
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_pass              http://172.29.0.6; # proxy to local NginxSSS service IP address
  }
}

Cert Automation

Create a renew.sh script:

export CF_Token=""
export CF_Email=""
export CF_Account_ID=""
export CF_Zone_ID=""

acme.sh --renew --force --nginx -d itomhu.com -d "*.itomhu.com" --dns dns_cf \
--reloadcmd "systemctl reload nginx"

Test

Open web on browser, the http will auto jump to https with 301 return code.

The secure lock will showing on the browser.