Contents
Preface
Usually, when we build a website, one step that we cannot avoid is the need to provide external https access. If the domain name resolution and CDN use cloudflare, it is fine (compared with domestic cloud providers, cloudflare has very few operations to configure ssl). If you use the CDN, SLB and other technologies of domestic cloud providers or build a website directly on the cloud host, you must face the problem of applying for an ssl certificate. Normally speaking, you can apply for up to 50 free certificates in a Tencent Cloud personal account (previously 20, and it will be upgraded to 50 starting January 17, 2024, of which 30 free certificates can be bound to Tencent Cloud domain names; 20 free certificates support binding to the entire network domain name, but you need to become a Tencent Cloud V2 member), and Alibaba Cloud can get 20 free certificates. At present, Tencent's newly applied free certificate is still for 1 year (this is actually TrustAsia's 1-year certificate), as follows:
However, Alibaba Cloud's free certificates have been extended to three months starting from November 14, 2023:
Tencent's 1-year free certificate is still valuable, but Alibaba Cloud's 3-month free certificate is really meaningless. It's better to just use Let's Encrypt for automatic renewal (does that mean directly changing from TrustAsia's 1-year certificate to Let's Encrypt's 3-month certificate?).
Generally, if the origin server uses a Linux control panel or NPM, it supports Let's Encrypt's automatic renewal feature, or automatic renewal via nginx + acme.sh script. However, the most troublesome part is not the origin server, but the custom Let's Encryp certificate already uploaded to a domestic cloud provider, such as the Let's Encryp certificate I uploaded to Tencent Cloud:
The expiration date is April 6, but there are only a few days left, and it is associated with 12 resources (and it is only 12 now, who knows how many in the future). I can't regenerate and upload it every 3 months, and then update the 12 associated resources. That would be exhausting. In fact, it was precisely because of this problem that I tried my best to use the free 1-year certificate from Tencent Cloud at the beginning, but I used up all the certificate quota for experiments (there were only 20 free certificates at that time, but even the 30 now are not enough for me). . . In the end, I was forced to face this problem again (to be honest, the 20 1-year certificates at that time should be enough for normal people, but I am not normal).
The only problem to solve now is the renewal of Let's Encrypt certificates uploaded to the cloud provider and those already deployed to related resources (CDN, SLB, CLB, etc.). Solving this would truly achieve "SSL certificate freedom," eliminating the worry about expired SSL certificates. Ideally, this would also provide a one-stop solution for renewing Let's Encrypt certificates deployed through other methods. Is such a solution available? Yes, it is: OHTTPS's one-stop solution.
OHTTPS
Let’s first look at the official introduction of OHTTPS:
From the description in the red box in the above picture, it can solve my headache (it can indeed be verified). In fact, in essence, OHTTPS is to access various environments and update certificates through legal access methods (such as API and SSH) provided by various environments (Linux panels, cloud providers, cloud hosts, etc.), so it is necessary to obtain APIs of various environments. I will introduce the operation methods of the two common environments I often use (Baota Panel and Tencent Cloud CDN) later.
Register an OHTTPS account
Visit OHTTPS official website:https://ohttps.com/, click Register in the upper right corner:
Fill in the registered email address and password, and click "Register" in the red box below after getting the email verification code:
Then enter the step of adding a domain name. It is recommended to directly add a wildcard domain name. Take my idle tangwudi.xyz domain name as an example and fill in directly:
*.tangwudi.xyz, then click "Next" in the red box in the lower right corner:
There are two ways to verify a domain name. One is the "DNS-free authorization mode", which is actually the CNAME method. Add the content in the red box below to the domain name provider's console in CNAME mode:
Another "DNS authorization" mode is to directly provide API to log in to the domain name provider's console:
The first method is safer, and the second method is more convenient (if it is cloudflare, you need to use the globl api). You can choose according to your preference.
Note 1: If you choose the first method, do not delete the CNAME record, otherwise it will cause failure when you update the certificate in the future.
Note 2: If you want to use services provided by domestic cloud providers, you must have a registered domain name.
After clicking "Create Certificate" in the red box in the lower right corner, go to step 3 to apply for a certificate:
After the application is successful, download the private key file in the first line and the certificate file in the third line and save them separately, then click "Manage Certificates" in the red box in the lower right corner:
Then officially enter the OHTTPS console:
Note: The certificate and private key files downloaded above are actually the Let's Encrypt certificate and private key files you obtained (they are only valid for 3 months from the creation date). These two files are needed when importing custom certificates in other deployment environments (Linux panel, cloud provider, cloud host, etc.), so you need to keep them safe.
OHTTPS supports unified deployment and certificate update in the environment in the red box below:
As you can see, in addition to the supported cloud providers covering the commonly used ones: Alibaba Cloud, Tencent Cloud, Qiniu Cloud, Baidu Cloud Acceleration, there are also Baota Panel, Docker, and SSH (corresponding to cloud host), etc. It can be said that the practicality is still very wide.
The following is an example of the deployment process using two environments that I currently use: Baota Panel and Tencent Cloud.
Deploy OHTTPS node-Baota panel
Configure the Pagoda Panel
Because OHTTPS needs to access the Baota panel from the public Internet, for the sake of security, you still need to enable the panel SSL, in "Panel Settings" - "Security Settings" - "Panel SSL Configuration":
Open the key and certificate files saved in the previous section with a text editor, copy the contents into the key box and certificate box respectively, and then click Save below:
Then go to "Panel Settings" - "API Interface":
Add "119.28.42.104" to the IP whitelist of the Baota Panel API and record the interface key in the red box:
Note: I have turned on the API interface option, but for some reason, it seems that this problem has existed since version 8.0.5. It is turned on but it shows as not turned on. However, if you click the switch, it will prompt that it is turned off, which is the opposite of the displayed status. I don’t understand.
Configure SSL for Baota Panel Site
Select the site that needs to configure SSL under the "Website"-"PHP" project. Take the site "test.tangwudi.xyz" as an example, select "Current Certificate" under "SSL", and paste the contents of the previously saved private key and certificate files into the key box and certificate box respectively, just like when enabling the panel SSL, and click "Save and Enable Certificate" in the red box below:
Later, you can also directly select deployment in the "Certificate Folder" in the red box on the right:
Note: If the port where the website publishes https is not the standard port 443, you need to modify it in the configuration file in the site. For example, my https port is published on port 55555, so modify it as follows (remember to click Save at the bottom after modification):
Adding a Pagoda Panel Site in OHTTPS
After completing the relevant configurations in the previous section on the Baota panel, you can deploy the Baota node in OHTTPS. Enter the OHTTPS console and click "Deploy Node" - "Add Node":
Select "Panel" in the Type field and select "Website SSL":
Fill in the Baota panel address in the figure above as it is. Note that if it is a non-standard 443 port, it needs to be marked with :port after the address; fill in the API interface key recorded in the previous section; fill in the website name as it is, in this example it is "test.example.com", then click "Next" to enter the associated certificate interface and add the associated certificate:
Select the certificate created previously and select "OK" in the red box in the lower right corner:
Select "Create Deployment Node" in the red box on the lower right:
Then in "Deployment Node", you can see that the website node has been deployed:
Deploy OTTPS nodes - Tencent Cloud CDN
Note: The prerequisite for using domestic CDN including Tencent Cloud is that the domain name has been registered. The following takes "test.tangwudi.xyz" as an example.
Get "SecretId" and "SecretKey"
Just as adding a Baota panel node in the previous section requires an API key, adding a Tencent Cloud CDN node requires "SecretId" and "SecretKey". I will not go into details on how to obtain them here. The OHTTPS official website has a detailed tutorial, and you can obtain it by following the tutorial. The tutorial address is as follows:https://ohttps.com/docs/cloud/tcloud/ssl.
Upload custom certificates to Tencent Cloud
Enter Tencent Cloud's "Console" - "SSL Certificate" - "Upload Certificate":
In the image below, upload the previously saved Let's Encrypt certificate by clicking "Upload" or copying and pasting the certificate and private key information into the red box. Then, click "OK" in the bottom red box to upload it to "My Certificates" on Tencent Cloud.
Then you can see the certificate you just uploaded in "Upload Certificate":
Configure https service and associated certificate for acceleration domain name in Tencent Cloud CDN
Other steps for configuring the accelerated domain name are omitted. Here we only mention the interface for the relevant https configuration, enable the "HTTPS" service in the red box and configure the certificate, as shown below:
Select the certificate uploaded in the previous section (my idle domain name is not registered, so it cannot be used here. Here I will use my registered domain name to simulate the interface), and then select "OK" in the red box below:
Finally, click "Submit all configurations" in the red box at the bottom:
Note: Don’t forget to configure the domain name’s CNAME in the domain name provider’s DNS console to point to Tencent Cloud’s acceleration address. If the domain name was originally purchased from Tencent Cloud, it’s simple. Just click “One-click deployment” CNAME, as shown below:
Add Tencent Cloud CDN node in OHTTPS
Similar to the previous adding of pagoda panel node:
Select "Tencent Cloud" and "CDN" in the Type field, then fill in the relevant information as shown below, and click "Next" in the red box on the lower right:
The subsequent steps are the same as adding the pagoda panel node before:
Then in "Deploy Node", you can see that the Tencent Cloud CDN node has been deployed:
I won’t go into details about how to add other environment nodes, they are all similar. You can also refer to the official tutorials.
Configure the automatic renewal time before the certificate expires
In the "Certificate Management" interface of the OHTTPS console, you can set the parameters of the certificate's "Automatic Notification Time Before Expiration", "Automatic Renewal Time Before Expiration", and whether to automatically deploy. In the "Certificate Management" interface, select "Configure" in the red box on the far right of the certificate whose parameters need to be modified:
In the configuration interface, you can directly modify the notification time before the certificate expires, automatic renewal before the certificate expires, and whether to automatically deploy after the certificate is renewed (this automatic deployment after renewal should refer to the CDN environment, because the CDN environment has a separate SSL certificate option, and the Baota panel only has two options: website SSL and panel SSL. It is estimated that only these two can be updated). The nodes that need to be uniformly deployed can be directly added to the red box on the right. After completing all configurations, click "Confirm Modification" in the red box at the bottom:
Usage Fees
OHTTPS is not free, the official charging instructions are as follows:
Based on the default update times of 6 times a year for one node (90 days of validity, 30 days of renewal, or 60 days of renewal), it costs 25✖️6÷100=1.5 yuan. If it is calculated based on 20 nodes, it is 30 yuan. The price of applying for the cheapest personal wildcard certificate on Tencent Cloud is:
There is still a big gap between 30 yuan and 1385 yuan, and most people don’t have 20 nodes. How many nodes do I have now?
32 items, if counted as 40 (I will increase it), 1.5✖️40=60 yuan a year, which is acceptable.
Afterword
In fact, Tencent Cloud's 50 free certificate quotas (domain names in Tencent Cloud have 30 single-domain name certificates, and V2 members have 20 full single-domain name certificates) are quite conscientious. My registered domain name is on Tencent Cloud's DNSpod, so now I have 30 one-year free domain names. To be honest, if you plan well, it is enough for ordinary people. However, if you want to do testing or often have new ideas, these 30 are hard to say. What I am afraid of is that if these 30 certificates are used in large quantities and imported and used in multiple locations, it is not troublesome to replace them once a year. So I think the advantage of OHTTPS is here, and it completes the one-stop management and update of certificates in all locations at a very low price. For example, I now use the site certificates on the Baota panel as the reverse proxy of the total export of the home data center at home, the site certificates on the Baota panel as the reverse proxy on the Tencent Cloud lightweight host, and the unified update of Tencent Cloud's SSL certificate and CDN domain name certificate, so there are as many as 32. .
There's another issue: the 1-year free single-domain certificate applied for on Tencent Cloud DNSpod and the certificate automatically applied for using Let's Encrypt with DNSpod for DNS authentication are both certificates from Asia Trust, so they share the 20-hostname limit under a single main domain.
This led to an embarrassing problem: when I used up my quota of 20 free one-year certificates on Tencent Cloud, I couldn't apply for certificates for my site using Let's Encrypt on my BT Panel because the 20 free certificate quota had been used up. Actually, even if Tencent Cloud had 30 free certificates now, it wouldn't be useful, because AsiaInfo has a limit of 20 free certificates per main domain. The extra 10 free certificate quota can only be used on other main domains on Tencent Cloud (if any).
However, OHTTPS can solve this problem because it uses an R3 certificate directly from Let's Encrypt (R3 is one of the intermediate certificates in Let's Encrypt's certificate chain, used to verify the trustworthiness of server certificates), and therefore is not subject to the AsiaTrust's limit of 20 certificates per main domain.
In fact, the limitations of OHTTPS are the same as the limitations of Let's Encrypt.
In short, Tencent Cloud's 1-year single domain name free certificate is still very attractive. If the number of sites is small and the deployment locations are not many, and the management cost is not high, 30 free certificates are enough. As for the scenario of multiple sites with a large number of deployment locations, OHTTPS can play a role.
Another 1: I recently optimized the deployment nodes on OHTTPS and deleted all those related to the Baota panel, because the sites on my Baota panel are all used as the back-to-source HOST of Tencent Cloud CDN, and Tencent Cloud CDN will not check the legitimacy of the source station certificate when using HTTPS back-to-source. So taking advantage of this, I replaced all the SSL certificates of the sites on the Baota panel with 15-year certificates (directly using the 15-year certificate signed by Cloudflare, of course, you can also issue a longer certificate yourself), once and for all, and saved a few dozen yuan a year in OHTTPS automatic renewal fees...
Another 2: I was stupid before, adding so many Tencent CDN deployment nodes, but I only needed to point all the domain names on Tencent CDN to the same pan-certificate, and then just update this certificate...