Apply for free SSL certificate for IP address - let IP address realize HTTPS encrypted access

Generally speaking, adding an SSL certificate to a domain name using domain name access is a routine operation for building a website, but some applications may not need to use domain name access, or do not want to bind a domain name, but just want to use a simple IP to achieve access. Under the background that the entire network is accessed through HTTPS encryption, is it possible to add an SSL certificate to the IP address to achieve access?

Have. But most IP facing SSL certificates are charged. The free SSL certificate provided by zeroSSL supports pure IP issuance. This article will share the application for zeroSSL free pure IP SSL certificate and how to install and configure zeroSSL free SSL certificate on your own server (pagoda panel or Nginx).

1. ZeroSSL certificate application

website:

1. https://zerossl.com

1.1 Manual application

Go to the ZeroSSL official website, register an account, and then click Free SSL Certificate Application.

Fill in your IP address and choose the length of the free SSL certificate.

Select Automatically generate CSR.

1.2 Verify the domain name

ZeroSSL free SSL certificate provides two methods of domain name verification, the simplest is Web verification, but the premise is that you need to allow your IP address to achieve Web access. If not, you can choose to use domain DNS to add TXT record verification.

If you choose Web access to the website, download the verification file directly, and then upload it to the default Web directory of the IP address. The path is required to remain as follows:

Open the IP with your browser and make sure you can access the verification file.

Finally, go back to the ZeroSSL verification page and click Finish verification.

2. ZeroSSL certificate installation

2.1 Download the certificate file

After the ZeroSSL certificate has been successfully verified, you can download the certificate file. ZeroSSL SSL certificates come in many forms, including Nginx, Apache, and more.

Taking Nginx as an example, there are three ZeroSSL certificate files downloaded: ca_bundle.crt and certificate.crt and private key key.

2.2 Merge SSL certificates

For Nginx server, you need to merge ca_bundle.crt and certificate.crt by opening certificate.crt and copy-pasting the content of ca_bundle.crt in the back.

2.3 Install the SSL certificate

If you are using the pagoda panel, you can directly click to install the SSL certificate in the background, and then upload and save the certificate and key files separately.

If you are using the Oneinstack one-click package and the LNMP one-click installation package, you need to open your Nginx configuration file (not the domain name Nginx configuration file), modify the following format, and be careful to change the path of the SSL certificate to your own:

server
    {
        listen 443 ssl http2;
       #listen [::]:443 ssl http2;
        server_name _;
        index index.html index.htm index.php ; _ _
        root /home/wwwroot/default;
    
        ssl_certificate /usr/local/nginx/conf/ssl/ipssl/wzfouip.crt ;
        ssl_certificate_key /usr/local/nginx/conf/ssl/ipssl/wzfouip.key ;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ; _ _ _
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM- SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5" ;
        ssl_session_cache builtin: 1000 shared:SSL:10m;
       # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem ;
access_log         /home/wwwlogs/access.log ;
    }

After the certificate is installed, remember to execute: nginx -t to check if there are any syntax errors. If not, restart Nginx directly to complete the SSL certificate installation. Open the IP address and you can see that the IP SSL certificate has been successfully installed.

3. Summary

For now, there is no good tool to automatically renew the ZeroSSL free SSL certificate of pure IP for the time being. A developer on Github wrote a tool using golang to achieve the renewal: https://github.com/tinkernels/zerossl-ip -cert , but it is not easy to operate, so the simpler method is to apply for renewal manually.