Deploy let's encrypt free SSL certificate && auto-Renew

Recently the company website to use HTTPS, from their own groping to find the domestic free certificate to purchase a formal fee certificate, finally the boss said: too expensive. No. A face to listen to the boss said let ' s encrypt certificate, no way, with Bai. Before there is some understanding, a foreign release of a pure free certificate, just feel that there is no free lunch, free and the gap between fees is certain. So, bite the bullet and start tinkering with Let's encrypt certificate. Preface let's Encrypt as a new certification authority, free, automatic, open, this three points is especially important for individual users. Free from needless to say, automatic is a lot of process and trouble. The current recommended acquisition and installation method is Certbot, simply run some commands and make some configuration. Prerequisites 1. A domain name is required and it generates a certificate for the specified domain name. (the fill IP will be error not supported) 1. You need to be able to access HTTPS on the server that the domain name points to. (you will not find a 443 port error) 2. Requires a Linux environment. Deploy get Let's Encrypt # #获取 wget https://dl.eff.org/certbot-auto # #设置为可执行 chmod a+x Certbot-auto Perform an automated deployment. During the/certbot-auto deployment process Will download a whole bunch of dependent packages, without the need for nervousness. If you need confirmation, (enter "Y") confirm it. Note here that during execution, it will be stuck in ' installing Python packages ', waiting for a while to download Phthon Lib

If you wait for a long time without moving, you can not wait to modify the PIP download source.
vi ~/.pip/pip.conf
#如果文件不存在则创建
mkdir ~/.pip
vi pip.conf
Modify or write to the content below
[global]
Index-url = http://mirrors.aliyun.com/pypi/simple/
[install]
trusted-host=mirrors.aliyun.com
Re-perform the automatic deployment
./certbot-auto
redeployment will still be in ' installing Python Packages ' card for a while, but not for a long time, within five minutes.

After the download of the dependency package will enter the interactive interface, in order to fill in the mailbox, domain name (multi-domain name separated by space or comma), the terms of confirmation, verify the domain name ownership (This step can choose the first way, manually select the root directory tomcat) will be displayed after successful execution congratulations! Your certificate and chain have been saved At/etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert would expire on 2016-10-05. To obtain a new or tweaked version of this certificate on the future, simply run Certbot-auto again. To non-interactively renew *all* of your certificates, run "Certbot-auto renew" at this time the generated certificate file (. Pem) is already in the following path/ETC/LETSENCRYP t/#主要用到的文件 (. Pem) in/etc/letsencrypt/live/xxxxx (domain name)/ Auto-RenewLet's encrypt apply for a certificate that will have a three-month validity period, can be manually renewed before the expiry date, or you can write your own scheduled Script task automatically renewal. Too much manual trouble, just write a simple renewal script. 1. Scripts

 #/bin/sh #续期 Description: Only with Renew, you will first check whether the certificate needs to be updated, probably the distance expires in three days or more than 10 days before the update, otherwise you will be prompted not to update. (Yesterday updated the certificate, today directly with renew, prompt not allowed to update) #这里方便测试, add parameter--force-renew, can force immediate update (but it seems to have a check, the time will be shorter, such as I have just updated, immediately again execution will be error and prompt does not need to update). Certbot-auto Renew--force-renew #生成p12 cd/mnt/web/letstemp && OpenSSL pkcs12-export-in fullchain.pem-inkey p
Rivkey.pem-out fullchain_and_key.p12-name tomcat-passin passyourpkcs12pass-passout pass:yourPKCS12pass #移动新生成的证书文件 Cp/etc/letsencrypt/live/yourdomain/fullchain.pem/mnt/web/letstemp cp/etc/letsencrypt/live/yourdomain/ Privkey.pem/mnt/web/letstemp #生成jks文件 #备份并删除原jks文件 mv/mnt/web/letstemp/mydskeystore.jks/mnt/web/letstemp/ Mydskeystore ' Date ' +%y-%m-%d '. JKs cd/mnt/web/letstemp && Keytool-importkeystore-deststorepass YourKeyPass- Destkeypass yourkeypass-destkeystore mydskeystore.jks-srckeystore Fullchain_and_key.p12-srcstoretype PKCS12- Srcstorepass Yourpkcs12pass-alias Tomcat #重启服务器/mnt/web/tomcat/tomcat8/bin/restartup.sh  

2, the scheduled task script has, but also need to add a regular script in Linux task, here with the Linux-brought Cron to handle this part. CRONTAB-E Add the following in an open editor (1th per month, 3 o'clock in the morning update) 0 0 3 * * sh/mnt/web/lets/ssl_auto_auth.sh >/dev/null 2>&1 &

Manually create an HTTPS certificate using Let's encrypt http://www.linuxidc.com/Linux/2016-06/132138.htm

Windows request a free SSL certificate-let ' s Encrypt http://www.linuxidc.com/Linux/2017-01/139465.htm

Certbot: Automatic deployment Let's Encrypt certificate http://www.linuxidc.com/Linux/2016-05/131346.htm

This article permanently updates the link address : http://www.linuxidc.com/Linux/2017-03/142248.htm