nothing 80 and 443 Apply for domain name under port SSL certificate

Recently, I have been working on small servers at home , After setting up, I found that many services are just HTTP It's too unsafe to visit , So ponder over whether to choose one SSL Certificate upgrade to HTTPS More secure .

But the problem is ： When I applied before , It's all used acme.sh perhaps certbot adopt nginx Configure to apply SSL certificate , But home broadband will be blocked 80 and 443 Port traffic .

To solve this problem , I searched a lot of information on Google , Finally, I found that I didn't apply through these two ports SSL Certificate solutions .

SSL How to apply for a certificate

This chapter mainly introduces DV(Domain Validation) Of SSL Three ways to apply for certificates . The following passage is taken from the translation of Wikipedia ：

Domain name verification certificate （DV SSL） The only criterion is to prove that the domain name whois Record 、DNS Log files 、 Control of email or virtual host account . Usually , The control of the domain name is determined in one of the following ways .

• Yes, send it to the domain name whois Email response of email contact in details
• Response to email sent to well-known management contacts in the domain name , for example （[email protected],[email protected], wait ）.
• Publish a DNS TXT Record
• Issue an unauthorized code provided by the automatic certificate issuance system

Domain validation （DV） Certificate and extended validation （EV） Different certificates for , Because this is the only requirement for issuing certificates . especially , The certificate of domain name verification does not guarantee that any specific legal entity is associated with the certificate , Even if the domain name may mean that a specific legal entity controls the domain name .

adopt DNS apply SSL certificate

From above , To complete in the case of limited ports SSL Application for , The easiest way is to use it DNS The way .

Get personal domain name

Applying for SSL Before certificate , You must first obtain a domain name . In this step, the eight immortals cross the sea , Each shows his power , Readers solve Baidu by themselves .

acme.sh The way

Reference from acme.sh explain .

Use acme.sh Of DNS The benefits of authentication are , You don't need any servers , No public network is needed ip, It only needs dns The validation can be completed by analyzing the records of . The disadvantage is that , If not configured at the same time Automatic DNS API, In this way acme.sh Certificate will not be automatically updated , You need to manually re resolve and verify the domain name ownership every time .

hypothesis hello.mydomain.com Is the domain name to be applied . Then launch DNS The order applied for is ：

acme.sh  --issue  --dns -d hello.mydomain.com \
 --yes-I-know-dns-manual-mode-enough-go-ahead-please

then , acme.sh The corresponding parsing record will be generated and displayed , You just need your domain name DNS Add this item in the management panel txt Just record it . If you don't know this step, you can baidu more .

Wait for the parsing to complete , Regenerate Certificate :

acme.sh  --renew -d hello.mydomain.com \
  --yes-I-know-dns-manual-mode-enough-go-ahead-please

Besides , If it's common DNS Service provider , for example cloudflare、dnspod、cloudxns、godaddy And Alibaba cloud , Can pass acme.sh Of dnsapi Realization Automatic certificate update .

certbot The way

and acme.sh similar ,certbot It can also be done in this way DNS Of SSL The certificate application . Reference from Using Certbot Manually for SSL certificates.

install certbot after , Enter the following command to start DNS chanllenge：

certbot certonly –manual -d hello.mydomain.com

Then follow all the way prompt Tips , Finally, it will arrive DNS Service providers add TXT Record , You can get a certificate .

But unfortunately ,certbot Alibaba cloud's automatic update is not supported ,sad.