Deploy let's encrypt free SSL certificate && auto-Renew

Source: Internet
Author: User
Tags pkcs12 free ssl free ssl certificate ssl certificate certbot letsencrypt aliyun

Recently the company website to use HTTPS, from their own groping to find the domestic free certificate to purchase a formal fee certificate, finally the boss said: too expensive. No. A face to listen to the boss said let ' s encrypt certificate, no way, with Bai. Before there is some understanding, a foreign release of a pure free certificate, just feel that there is no free lunch, free and the gap between fees is certain. So, bite the bullet and start tinkering with Let's encrypt certificate. Preface let's Encrypt as a new certification authority, free, automatic, open, this three points is especially important for individual users. Free from needless to say, automatic is a lot of process and trouble. The current recommended acquisition and installation method is Certbot, simply run some commands and make some configuration. Prerequisites 1. A domain name is required and it generates a certificate for the specified domain name. (the fill IP will be error not supported) 1. You need to be able to access HTTPS on the server that the domain name points to. (you will not find a 443 port error) 2. Requires a Linux environment. Deploy get Let's Encrypt # #获取 wget # #设置为可执行 chmod a+x Certbot-auto Perform an automated deployment. During the/certbot-auto deployment process Will download a whole bunch of dependent packages, without the need for nervousness. If you need confirmation, (enter "Y") confirm it. Note here that during execution, it will be stuck in ' installing Python packages ', waiting for a while to download Phthon Lib

If you wait for a long time without moving, you can not wait to modify the PIP download source.
vi ~/.pip/pip.conf
mkdir ~/.pip
vi pip.conf
Modify or write to the content below
Index-url =
Re-perform the automatic deployment
redeployment will still be in ' installing Python Packages ' card for a while, but not for a long time, within five minutes.
After the download of the dependency package will enter the interactive interface, in order to fill in the mailbox, domain name (multi-domain name separated by space or comma), the terms of confirmation, verify the domain name ownership (This step can choose the first way, manually select the root directory tomcat) will be displayed after successful execution congratulations! Your certificate and chain have been saved At/etc/letsencrypt/live/ Your cert would expire on 2016-10-05. To obtain a new or tweaked version of this certificate on the future, simply run Certbot-auto again. To non-interactively renew *all* of your certificates, run "Certbot-auto renew" at this time the generated certificate file (. Pem) is already in the following path/ETC/LETSENCRYP t/#主要用到的文件 (. Pem) in/etc/letsencrypt/live/xxxxx (domain name)/ Auto-RenewLet's encrypt apply for a certificate that will have a three-month validity period, can be manually renewed before the expiry date, or you can write your own scheduled Script task automatically renewal. Too much manual trouble, just write a simple renewal script. 1. Scripts
 #/bin/sh #续期 Description: Only with Renew, you will first check whether the certificate needs to be updated, probably the distance expires in three days or more than 10 days before the update, otherwise you will be prompted not to update. (Yesterday updated the certificate, today directly with renew, prompt not allowed to update) #这里方便测试, add parameter--force-renew, can force immediate update (but it seems to have a check, the time will be shorter, such as I have just updated, immediately again execution will be error and prompt does not need to update). Certbot-auto Renew--force-renew #生成p12 cd/mnt/web/letstemp && OpenSSL pkcs12-export-in fullchain.pem-inkey p
Rivkey.pem-out fullchain_and_key.p12-name tomcat-passin passyourpkcs12pass-passout pass:yourPKCS12pass #移动新生成的证书文件 Cp/etc/letsencrypt/live/yourdomain/fullchain.pem/mnt/web/letstemp cp/etc/letsencrypt/live/yourdomain/ Privkey.pem/mnt/web/letstemp #生成jks文件 #备份并删除原jks文件 mv/mnt/web/letstemp/mydskeystore.jks/mnt/web/letstemp/ Mydskeystore ' Date ' +%y-%m-%d '. JKs cd/mnt/web/letstemp && Keytool-importkeystore-deststorepass YourKeyPass- Destkeypass yourkeypass-destkeystore mydskeystore.jks-srckeystore Fullchain_and_key.p12-srcstoretype PKCS12- Srcstorepass Yourpkcs12pass-alias Tomcat #重启服务器/mnt/web/tomcat/tomcat8/bin/  
2, the scheduled task script has, but also need to add a regular script in Linux task, here with the Linux-brought Cron to handle this part. CRONTAB-E Add the following in an open editor (1th per month, 3 o'clock in the morning update) 0 0 3 * * sh/mnt/web/lets/ >/dev/null 2>&1 &

Manually create an HTTPS certificate using Let's encrypt

Windows request a free SSL certificate-let ' s Encrypt

Certbot: Automatic deployment Let's Encrypt certificate

This article permanently updates the link address :

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.