Let ' s encrypt as a public and free SSL project is gradually spread and use by the vast number of users, is by Mozilla, Cisco, Akamai, Identrust, eff and other organizations to launch, The main goal is also to promote the Web site from HTTP to https over the process, there are more and more businesses to join and sponsorship support.
The advent of let's encrypt free SSL certificate will also be a blow to the traditional provider of paid SSL Certificate Services. So far, let's encrypt get Identrust cross signature, which is that can be applied and support, including Firefox, Chrome and other mainstream browser compatibility and support, although the current is the public testing phase, but there are a lot of users in their own web site projects officially used.
In this year's black Friday, namecheap various promotional activities also include an annual fee of 0.88 U.S. dollars in the SSL certificate, when the old left also bought 2 alternative learning and appropriate to put some of the site to see the effect (it is said that the English web site Google will be very like), when the cold rain classmate suggested that the time to directly use let ' s encrypt free SSL, after all, is supported by many large companies, much more reliable than the free SSL certificates offered by some small companies.
Although the current let's encrypt free SSL certificate is 90 days, but we can also expire automatically renew, does not affect our attempt and use, in order to take into account the authenticity of the article and the actual combat, the old left ready to use some time of the show in the application Let ' s Encrypt the process of the certificate, this article shares the method tutorial for the application.
First, install let ' s encrypt before the preparation work
According to the official request, we need the system to support Python2.7 above and support git tools before we deploy let's encrypt free SSL certificate on VPS and server. This needs to be installed and upgraded according to our different system versions, because some of the service providers offer a compatible version, especially if the Debian environmental compatibility is better than the CentOS.
For example, CentOS 6 64-bit environment does not support git, we can also refer to the "Linux CentOS 6 64-bit system installation Git tool environment Tutorial" and "9 steps upgrade CentOS5 system Python version to 2.7" for installation and upgrades. The simplest is the Debian environment is not supported, you can run the "apt-get-y Install git" Direct installation support, if it is CentOS directly run "yum-y install Git-core" support. This specific encounter problem is discussed and a search solution is possible because each environment, vendor distribution, can be different. In this article, the old left uses the Debian 7 environment.
Second, fast access to let's encrypt free SSL certificate
In the previous posting left also shared several about the process of SSL deployment, I got dizzy, too. Getting the certificate and layout is still more complicated, let's encrypt is sure to take into account the popularization of HTTPS will allow users to simply obtain and deploy SSL certificates, So you can get a certificate using the simple one-click deployment below.
PS: In the acquisition of a site certificate file, we need to install PYTHON2.7 and git, but also need to resolve the domain name to the current VPS host IP.
The code is as follows |
Copy Code |
git clone https://github.com/letsencrypt/letsencrypt CD Letsencrypt ./letsencrypt-auto certonly--standalone--email admin@laozuo.org-d laozuo.org-d www.laozuo.org |
Then execute the script above, we need to change the domain name according to our actual site situation to need to deploy.
See this interface, direct agree carriage return.
Then see this interface to indicate a successful deployment. At present according to everyone's feedback and the old left test, if the domain name is used in domestic DNS, including the third party dnspod, etc., may not get domain name information.
Here we can see the error message for "The server could not connect to the" verify "domain", including other prompts that are wrong, "the server experienced an I Nternal Error:: Error creating new registration "We do not use the domestic free post Office in the post office." Therefore, if we are overseas domain name directly first with the domain name with DNS.
Third, let ' s encrypt free SSL certificate acquisition and application
After we complete the generation of Let's encrypt certificate, we will have 4 files in the "/etc/letsencrypt/live/laozuo.org/" domain name directory that are the generated key certificate files.
Cert.pem-apache Server-Side Certificate
Chain.pem-apache root certificate and relay certificate
Ssl_certificate files required by Fullchain.pem-nginx
PRIVKEY.PEM-Security Certificate key file
If we use the NGINX environment, then we need to use the FULLCHAIN.PEM and Privkey.pem two certificate files, when deploying Nginx need to use (reference: LNMP a key package environment to install SSL security certificate and deployment of HTTPS Web site URL process). In this article, Lao left does not detail let's encrypt certificate installation, and then toss an article detailed deployment certificate installation Nginx and Apache.
The code is as follows |
Copy Code |
SSL_CERTIFICATE/ETC/LETSENCRYPT/LIVE/LAOZUO.ORG/FULLCHAIN.PEM; SSL_CERTIFICATE_KEY/ETC/LETSENCRYPT/LIVE/LAOZUO.ORG/PRIVKEY.PEM; |
For example, we in the nginx environment, as long as the corresponding ssl_certificate and Ssl_certificate_key path set to our generated 2 files, it is best not to move and copy files, because the renewal of the direct renewal of the generated directory files can be, No more manual copying is required.
Four, solve let's encrypt free SSL certificate validity issue
We can see from the generated file, let's encrypt certificate is valid for 90 days, we need to update their own manual renewal can be.
The code is as follows |
Copy Code |
./letsencrypt-auto certonly--renew-by-default--email admin@laozuo.org-d laozuo.org-d www.laozuo.org |
In this way, we can solve the renewal problem in 90 days and then we can continue to use it for 90 days. If we are afraid to forget the words can also be made into a scheduled task, such as once a month to perform.
Five, about let's encrypt free SSL certificate summary
Through the above steps of learning and application, we certainly learned to use let's encrypt free generation and access to SSL certificate files, with the Let's encrypt applications, SSL directly after the free need not to buy, Because most of the mainstream browsers support and have more mainstream business support and sponsorship, HTTPS seems to be the trend. We need to solve a few problems in the Let's encrypt execution process.
A-domain DNS and resolution issues. In the configuration let's encrypt free SSL certificate when the domain name must be resolved to the current VPS server, and DNS must be used to foreign domain DNS, if the use of domestic free DNS may lead to get no errors.
B-Install let ' s encrypt deployment requires server support PYTHON2.7 and GIT environment, or no deployment.
C-let ' s encrypt default is 90 days free, need manual or automatic renewal before you can continue to use.