How to create an SSL certificate with Jianmu CI and deploy it to nginx

introduce

Hypertext Transfer Protocol HTTP protocol is used to transfer information between Web browser and Web server. HTTP protocol sends content in clear text without providing any way of data encryption. If an attacker intercepts the transmission message between Web browser and Web server, he can directly read the information. In order to solve this defect of HTTP protocol, You need to add a certificate to HTTP to upgrade it to: Secure Socket Layer hypertext transmission protocol HTTPS. For the security of data transmission, HTTPS adds SSL Protocol on the basis of HTTP. SSL relies on the certificate to verify the identity of the server and encrypt the communication between the browser and the server.

How can the information between ourselves and users be overheard by others? So we need to add a layer of "protective cover" (SSL/TSL) to our website

At this time, you can choose the solution provided by Jianmu CI: use acme SSL node to quickly add a "protective cover" to your website!

at present acme-ssl The node supports Alibaba cloud as a DNS service resolver to create domain name certificates. Huawei cloud and Tencent cloud will be added later.

Apply for domain name

To apply for a certificate from a ca, we must first have our own domain name. At present, Alibaba cloud is supported as a DNS resolver, so we have to buy a domain name from Alibaba cloud

Apply for a certificate for your domain name

Use Jianmu Ci to arrange the acme SSL node to apply for a certificate for your domain name. An introduction to how to install, use Jianmu Ci and related concepts of Jianmu CI is written in detail in this blog: Deploy maven project based on Jianmu CI , welcome to the crowd

Define pipeline to apply for certificate,

name: acme-ssl
description: acme-ssl of pip
​
pipeline:
acme_sh:
  type: "acme_ssl_aliyun:1.0.2"
  param:
     # For which domain name do you apply for a certificate
    domain: "*.huangxi.asia"
     # Fill in your email
    email: "1014231151@qq.com"
     # Alibaba cloud's AccessKey. Please refer to Alibaba cloud's official website for specific access methods
    ali_key: ((ali.key))
     # Please refer to Alibaba cloud's official website for specific access methods
    ali_secret: ((ali.secret))
     # Check through public dns If true, wait 20 seconds, acme SH will use cloudflare public dns or google dns to check whether the record is valid.
     # If the parameter is false, acme SH will wait for 10 seconds and do nothing. In the test phase, we set this value to false, so we don't have to check the public dns
    dns_check: false
     # Select a CA organization. The supported CA can be letsencrypt or letsencrypt_test,buypass,buypass_test,zerossl,sslcom. 
     # The default is zerossl, and buypass, buypass_test and sslcom are charging CA institutions
    ca: "zerossl"
 # The following two nodes are replication data nodes. The purpose is to send the generated private key and certificate to our server    
scp_cert:
  type: scp_resouce:1.1.0
  param:
     # Host ip of the target server
    ssh_ip: xxx.xxx.xxx.xxx
     # Server private key
    ssh_private_key: ((xxx.server_private_key))
     # Which folder to synchronize to the target server. If the target server does not have this folder, it will be automatically created and synchronized
    remote_file: /tmp/hx/fullchain.cer
     # Which file will be synchronized to the server? Here, the certificate will be synchronized to the server
    local_file: ${acme_sh.cer_path}
scp_key:
  type: scp_resouce:1.1.0
  param:
    ssh_ip: xxx.xxx.xxx.xxx
    ssh_private_key: ((xxx.server_private_key))
     # Here, the private key is synchronized to the server
    remote_file: /tmp/hx/*.huangxi.asia.key
    local_file: ${acme_sh.key_path}

Copy the process dsl to Jianmu CI and start running the process. Let's wait for the acme SSL node to apply for a certificate for us

After waiting, the process has all run through

Come to the virtual machine and check the copied certificate and private key. The mood at this time is one word, refreshing ~

Deploy the certificate private key to the server

After we get the certificate and private key, we can deploy them to our server. Here, nginx is used as our web container

  • Installing nginx

    [root@huangxi ssl]# yum -y install nginx
    
  • Check the location of nginx. The binary file of nginx startup is located in / usr/sbin/nginx, and the configuration file is located in / etc / nginx / nginx conf

    [root@huangxi ssl]# whereis nginx
    nginx: /usr/sbin/nginx /usr/lib64/nginx /etc/nginx /usr/share/nginx /usr/share/man/man3/nginx.3pm.gz /usr/share/man/man8/nginx.8.gz
    
  • start nginx

    [root@huangxi ssl]# nginx
    
  • Modify the configuration file of nginx

    # Add the following configuration to the http cache
    server {
       # Enable ssl 443 port listening
       listen       443 ssl;
       # Corresponding domain name, put * huangxi. Just change Asia to your own domain name
       server_name *.huangxi.asia;
    
       # Configure the path to get the certificate from the acme SSL node
       ssl_certificate     /tmp/hx/ssl/fullchain.cer;
       # Configure the path to get the private key from the acme SSL node
       ssl_certificate_key /tmp/hx/ssl/*.huangxi.asia.key;
    ​
       ssl_session_cache   shared:SSL:1m;
       ssl_session_timeout 5m;
    ​
       ssl_ciphers HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers on;
    ​
       location / {
           root   html;
           index index.html index.htm;
       }
    }
    ​
    server{
       listen 80;
       server_name huangxi.asia;
       # Even if you visit port 80, redirect him to port 443
       rewrite ^/(.*)$ https://*.huangxu.asia:443/$1 permanent;
    }
    
  • Verify that the nginx configuration file is configured correctly

    [root@huangxi nginx]# nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    
  • Reload nginx configuration file

    [root@huangxi nginx]# nginx -s reload
    

Is the test certificate valid

Open our browser and enter www.huangxi.asia (enter your own domain name here)

As shown in the figure above, we visited the default welcome page of nginx. We can see that we use https protocol to access and the certificate is valid. So far, we have successfully added a layer of "protective cover" to our website

This article is the original contribution of Jianmu blogger "Freedom". Please contact the authorized person for reprint.

Xiang (official): https://jianmu.dev

Item (Hosting: https://gitee.com/jianmu-dev

Item (document: https://docs.jianmu.dev

Online experience: https://ci.jianmu.dev

Keywords: Nginx SSL ci

Added by cool30 on Wed, 26 Jan 2022 04:18:03 +0200