Contents
Preface
Usually, when we build a website, one step that we cannot avoid is the need to provide external https access. If the domain name resolution and CDN use cloudflare, it is fine (compared with domestic cloud providers, cloudflare has very few operations to configure ssl). If you use the CDN, SLB and other technologies of domestic cloud providers or build a website directly on the cloud host, you must face the problem of applying for an ssl certificate. Normally speaking, you can apply for up to 50 free certificates in a Tencent Cloud personal account (previously 20, and it will be upgraded to 50 starting January 17, 2024, of which 30 free certificates can be bound to Tencent Cloud domain names; 20 free certificates support binding to the entire network domain name, but you need to become a Tencent Cloud V2 member), and Alibaba Cloud can get 20 free certificates. At present, Tencent's newly applied free certificate is still for 1 year (this is actually TrustAsia's 1-year certificate), as follows:
However, Alibaba Cloud's free certificates have been extended to three months starting from November 14, 2023:
腾讯1年期的免费证书还有价值,但是阿里云3个月的免费证书就真的没意义了,不如直接用Let’s Encrypt自动续签(难道就是直接从TrustAsia的1年期变成Let’s Encrypt的3个月?)。
一般来说,如果源站是使用linux面板或者NPM,都支持Let’s Encrypt的到期自动续签功能,或者nginx + acme.sh脚本的方式自动续签。不过,最麻烦的地方不在源站,而在于已经上传到国内云供应商上的属于Let’s Encryp的自定义证书,比如我上传到腾讯云的Let’s Encryp证书:
The expiration date is April 6, but there are only a few days left, and it is associated with 12 resources (and it is only 12 now, who knows how many in the future). I can't regenerate and upload it every 3 months, and then update the 12 associated resources. That would be exhausting. In fact, it was precisely because of this problem that I tried my best to use the free 1-year certificate from Tencent Cloud at the beginning, but I used up all the certificate quota for experiments (there were only 20 free certificates at that time, but even the 30 now are not enough for me). . . In the end, I was forced to face this problem again (to be honest, the 20 1-year certificates at that time should be enough for normal people, but I am not normal).
那么现在唯一要解决的问题,就是上传到云供应商上的Let’s Encrypt证书以及已经部署到关联资源(CDN,SLB,CLB等)上的Let’s Encrypt证书的到期续签问题,如果解决了这个问题,那么就真的实现了"ssl证书自由了",再也不用关心"ssl证书过期"这个问题了。并且,最好也能同时一站式解决其他方式部署Let’s Encrypt的证书续签问题就再好不过了,有没有这种方式呢?还真有,那就是OHTTPS提供的一站式解决方案。
OHTTPS
Let’s first look at the official introduction of OHTTPS:
From the description in the red box in the above picture, it can solve my headache (it can indeed be verified). In fact, in essence, OHTTPS is to access various environments and update certificates through legal access methods (such as API and SSH) provided by various environments (Linux panels, cloud providers, cloud hosts, etc.), so it is necessary to obtain APIs of various environments. I will introduce the operation methods of the two common environments I often use (Baota Panel and Tencent Cloud CDN) later.
Register an OHTTPS account
Visit OHTTPS official website:https://ohttps.com/, click Register in the upper right corner:
Fill in the registered email address and password, and click "Register" in the red box below after getting the email verification code:
Then enter the step of adding a domain name. It is recommended to directly add a wildcard domain name. Take my idle tangwudi.xyz domain name as an example and fill in directly:
*.tangwudi.xyz, then click "Next" in the red box in the lower right corner:
There are two ways to verify a domain name. One is the "DNS-free authorization mode", which is actually the CNAME method. Add the content in the red box below to the domain name provider's console in CNAME mode:
Another "DNS authorization" mode is to directly provide API to log in to the domain name provider's console:
The first method is safer, and the second method is more convenient (if it is cloudflare, you need to use the globl api). You can choose according to your preference.
Note 1: If you choose the first method, do not delete the CNAME record, otherwise it will cause failure when you update the certificate in the future.
Note 2: If you want to use services provided by domestic cloud providers, you must have a registered domain name.
After clicking "Create Certificate" in the red box in the lower right corner, go to step 3 to apply for a certificate:
After the application is successful, download the private key file in the first line and the certificate file in the third line and save them separately, then click "Manage Certificates" in the red box in the lower right corner:
Then officially enter the OHTTPS console:
注:上面下载的证书和私钥文件其实就是申请到的Let’s Encrypt的证书和私钥文件(有效期只有从创建时间算起3个月的时间),这2个文件在其他部署环境(linux面板,云供应商、云主机等)中导入自定义证书的时候都需要用到,所以需要保存好。
OHTTPS supports unified deployment and certificate update in the environment in the red box below:
As you can see, in addition to the supported cloud providers covering the commonly used ones: Alibaba Cloud, Tencent Cloud, Qiniu Cloud, Baidu Cloud Acceleration, there are also Baota Panel, Docker, and SSH (corresponding to cloud host), etc. It can be said that the practicality is still very wide.
The following is an example of the deployment process using two environments that I currently use: Baota Panel and Tencent Cloud.
Deploy OHTTPS node-Baota panel
Configure the Pagoda Panel
Because OHTTPS needs to access the Baota panel from the public Internet, for the sake of security, you still need to enable the panel SSL, in "Panel Settings" - "Security Settings" - "Panel SSL Configuration":
Open the key and certificate files saved in the previous section with a text editor, copy the contents into the key box and certificate box respectively, and then click Save below:
Then go to "Panel Settings" - "API Interface":
Add "119.28.42.104" to the IP whitelist of the Baota Panel API and record the interface key in the red box:
Note: I have turned on the API interface option, but for some reason, it seems that this problem has existed since version 8.0.5. It is turned on but it shows as not turned on. However, if you click the switch, it will prompt that it is turned off, which is the opposite of the displayed status. I don’t understand.
Configure SSL for Baota Panel Site
Select the site that needs to configure SSL under the "Website"-"PHP" project. Take the site "test.tangwudi.xyz" as an example, select "Current Certificate" under "SSL", and paste the contents of the previously saved private key and certificate files into the key box and certificate box respectively, just like when enabling the panel SSL, and click "Save and Enable Certificate" in the red box below:
Later, you can also directly select deployment in the "Certificate Folder" in the red box on the right:
Note: If the port where the website publishes https is not the standard port 443, you need to modify it in the configuration file in the site. For example, my https port is published on port 55555, so modify it as follows (remember to click Save at the bottom after modification):
Adding a Pagoda Panel Site in OHTTPS
After completing the relevant configurations in the previous section on the Baota panel, you can deploy the Baota node in OHTTPS. Enter the OHTTPS console and click "Deploy Node" - "Add Node":
Select "Panel" in the Type field and select "Website SSL":
Fill in the Baota panel address in the figure above as it is. Note that if it is a non-standard 443 port, it needs to be marked with :port after the address; fill in the API interface key recorded in the previous section; fill in the website name as it is, in this example it is "test.example.com", then click "Next" to enter the associated certificate interface and add the associated certificate:
Select the certificate created previously and select "OK" in the red box in the lower right corner:
Select "Create Deployment Node" in the red box on the lower right:
Then in "Deployment Node", you can see that the website node has been deployed:
Deploy OTTPS nodes - Tencent Cloud CDN
Note: The prerequisite for using domestic CDN including Tencent Cloud is that the domain name has been registered. The following takes "test.tangwudi.xyz" as an example.
Get "SecretId" and "SecretKey"
Just as adding a Baota panel node in the previous section requires an API key, adding a Tencent Cloud CDN node requires "SecretId" and "SecretKey". I will not go into details on how to obtain them here. The OHTTPS official website has a detailed tutorial, and you can obtain it by following the tutorial. The tutorial address is as follows:https://ohttps.com/docs/cloud/tcloud/ssl.
Upload custom certificates to Tencent Cloud
Enter Tencent Cloud's "Console" - "SSL Certificate" - "Upload Certificate":
在下图中将前面保存的Let’s Encrypt的证书通过点击上传或者复制粘贴证书和私钥内容到红框中,然后点击最下方红框中的"确定"以上传到腾讯云"我的证书"中:
Then you can see the certificate you just uploaded in "Upload Certificate":
Configure https service and associated certificate for acceleration domain name in Tencent Cloud CDN
Other steps for configuring the accelerated domain name are omitted. Here we only mention the interface for the relevant https configuration, enable the "HTTPS" service in the red box and configure the certificate, as shown below:
Select the certificate uploaded in the previous section (my idle domain name is not registered, so it cannot be used here. Here I will use my registered domain name to simulate the interface), and then select "OK" in the red box below:
Finally, click "Submit all configurations" in the red box at the bottom:
Note: Don’t forget to configure the domain name’s CNAME in the domain name provider’s DNS console to point to Tencent Cloud’s acceleration address. If the domain name was originally purchased from Tencent Cloud, it’s simple. Just click “One-click deployment” CNAME, as shown below:
Add Tencent Cloud CDN node in OHTTPS
Similar to the previous adding of pagoda panel node:
Select "Tencent Cloud" and "CDN" in the Type field, then fill in the relevant information as shown below, and click "Next" in the red box on the lower right:
The subsequent steps are the same as adding the pagoda panel node before:
Then in "Deploy Node", you can see that the Tencent Cloud CDN node has been deployed:
I won’t go into details about how to add other environment nodes, they are all similar. You can also refer to the official tutorials.
Configure the automatic renewal time before the certificate expires
In the "Certificate Management" interface of the OHTTPS console, you can set the parameters of the certificate's "Automatic Notification Time Before Expiration", "Automatic Renewal Time Before Expiration", and whether to automatically deploy. In the "Certificate Management" interface, select "Configure" in the red box on the far right of the certificate whose parameters need to be modified:
In the configuration interface, you can directly modify the notification time before the certificate expires, automatic renewal before the certificate expires, and whether to automatically deploy after the certificate is renewed (this automatic deployment after renewal should refer to the CDN environment, because the CDN environment has a separate SSL certificate option, and the Baota panel only has two options: website SSL and panel SSL. It is estimated that only these two can be updated). The nodes that need to be uniformly deployed can be directly added to the red box on the right. After completing all configurations, click "Confirm Modification" in the red box at the bottom:
Usage Fees
OHTTPS is not free, the official charging instructions are as follows:
Based on the default update times of 6 times a year for one node (90 days of validity, 30 days of renewal, or 60 days of renewal), it costs 25✖️6÷100=1.5 yuan. If it is calculated based on 20 nodes, it is 30 yuan. The price of applying for the cheapest personal wildcard certificate on Tencent Cloud is:
There is still a big gap between 30 yuan and 1385 yuan, and most people don’t have 20 nodes. How many nodes do I have now?
32 items, if counted as 40 (I will increase it), 1.5✖️40=60 yuan a year, which is acceptable.
Afterword
In fact, Tencent Cloud's 50 free certificate quotas (domain names in Tencent Cloud have 30 single-domain name certificates, and V2 members have 20 full single-domain name certificates) are quite conscientious. My registered domain name is on Tencent Cloud's DNSpod, so now I have 30 one-year free domain names. To be honest, if you plan well, it is enough for ordinary people. However, if you want to do testing or often have new ideas, these 30 are hard to say. What I am afraid of is that if these 30 certificates are used in large quantities and imported and used in multiple locations, it is not troublesome to replace them once a year. So I think the advantage of OHTTPS is here, and it completes the one-stop management and update of certificates in all locations at a very low price. For example, I now use the site certificates on the Baota panel as the reverse proxy of the total export of the home data center at home, the site certificates on the Baota panel as the reverse proxy on the Tencent Cloud lightweight host, and the unified update of Tencent Cloud's SSL certificate and CDN domain name certificate, so there are as many as 32. .
其实还有另外一个问题,腾讯云DNSpod上的域名申请的1年期免费单域名证书和用Let’s Encrypt使用DNSpod进行DNS鉴权而自动申请的证书都是亚洲诚信范围的证书,所以共享一个主域名下20个主机名的限制:
这导致了一个让我很尴尬的问题:当时我腾讯云上的20张免费1年期证书的额度用完的时候,我的宝塔面板上站点使用Let’s Encrypt也无法申请证书了,因为20张免费证书的额度已经用光了。其实现在哪怕腾讯云有30张免费证书也没用,因为亚洲诚信的一个主域名最多20张免费证书的限制,多余的10张免费证书额度只能用在腾讯云上的其他主域了(如果有的话)。
但是OHTTPS可以解决这一个问题,因为OHTTPS是直接从Let’s Encrypt申请的R3证书(R3是Let’s Encrypt证书链中的中间证书之一,用于验证服务器证书的可信性),所以不受亚洲诚信一个主域20个证书的限制:
其实OHTTPS的限制就是Let’s Encrypt的限制。
In short, Tencent Cloud's 1-year single domain name free certificate is still very attractive. If the number of sites is small and the deployment locations are not many, and the management cost is not high, 30 free certificates are enough. As for the scenario of multiple sites with a large number of deployment locations, OHTTPS can play a role.
Another 1: I recently optimized the deployment nodes on OHTTPS and deleted all those related to the Baota panel, because the sites on my Baota panel are all used as the back-to-source HOST of Tencent Cloud CDN, and Tencent Cloud CDN will not check the legitimacy of the source station certificate when using HTTPS back-to-source. So taking advantage of this, I replaced all the SSL certificates of the sites on the Baota panel with 15-year certificates (directly using the 15-year certificate signed by Cloudflare, of course, you can also issue a longer certificate yourself), once and for all, and saved a few dozen yuan a year in OHTTPS automatic renewal fees...
Another 2: I was stupid before, adding so many Tencent CDN deployment nodes, but I only needed to point all the domain names on Tencent CDN to the same pan-certificate, and then just update this certificate...
