Acme-tiny making a free HTTPS certificate

Preface

Although the implementation of the environment of HTTPS, the use of a paid CA certification body, but there is really a lot of sound in the advice of this free HTTPS SSL certificate, so I really set up to try a free HTTPS build process, and explain their understanding of 4 different certificates

Enterprise level: EV (Extended Validation), OV (Organization Validation)
personal level: IV (Identity Validation), DV (Domain Validation)

Which EV, OV, IV need to pay, free certificate security level is generally low, do not display the unit name, can not prove the true identity of the website, only play the role of encrypted transmission information, suitable for personal website or non-e-commerce website. Note: This low-end SSL has been abused by various foreign fraudulent websites. However, the CA authentication of such certificates is very efficient, because only the domain name and the email address that need to be verified are required when the CA certification is submitted. free SSL certificate available based on Acme-tiny request

GitHub acme-tiny Project Description Document Link:
https://github.com/diafygi/acme-tiny

Chinese Description

This script requires the support of Python and OpenSSL, please install it yourself, and create a working directory on your own.

Step1: Create a Let ' s encrypt account private key so that it can recognize your identity OpenSSL genrsa 4096 > Account.key step2: Create a Domain name Certificate request file (CSR) OpenSSL genrsa 4096 &G T Domain.key OpenSSL req-new-sha256-key domain.key-subj "/"-reqexts San-config < (cat/usr/local/ssl/openssl.cnf &lt ;(p rintf "[san]\nsubjectaltname=dns:[donmain.com]") > [DOMAIN].CSR step3: Configure the service to verify domain ownership, create a validation directory mkdir-p/home/
    WWWROOT/CHALLENGES/STEP4: Configure an HTTP service so that letsencrypt can download the authentication file server {Listen 80;

    server_name yoursite.com www.yoursite.com;
        Location/.well-known/acme-challenge/{alias/var/www/challenges/;
    Try_files $uri = 404; } ... the rest of your config} step5: Get the signing certificate Python acme_tiny.py--account-key./account.key--CSR./DOMAIN.CSR--acme-di r/var/www/challenges/>/SIGNED.CRT step6: Convert CRT to PEM file Wget-o-https://letsencrypt.org/certs/
    Lets-encrypt-x3-cross-signed.pem > Intermediate.pem cat signed.crt intermediate.pem > Chained.pem step7: Configuring Nginx
    Listen 443 SSL;
    server_name [monitor domain name]; SSL_CERTIFICATE/HTTPSFILE/CHAINED.PEM;
    Ssl_certificate_key/httpsfile/domain.key;
    Ssl_session_cache shared:ssl:1m;
    Ssl_session_timeout 5m;
         Location/{Proxy_pass http://127.0.0.1:8080/;
         Proxy_redirect off;
         Proxy_set_header X-real-ip $remote _addr;
    Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for; STEP8: The script override policy is based on this certificate for a 3-month validity period, and also establishes a script for a certificate overwrite operation. (so this method recommends that the test environment validate the HTTPS environment and is not recommended for production environments) VI ~/letsencrypt/renew_cert.sh #!/usr/bin/sh python/path/to/acme_tiny.py-- Account-key/path/to/account.key--CSR/PATH/TO/DOMAIN.CSR--acme-dir/var/www/challenges/>/tmp/signed.crt | | Exit Wget-o-HTTPS://LETSENCRYPT.ORG/CERTS/LETS-ENCRYPT-X3-CROSS-SIGNED.PEM > Intermediate.pem cat/tmp/ SIGNED.CRT INTERMEDIATE.PEM >/path/to/chained.pem service nginx reload chmod +x renew_cert.sh join crontab 0 0 1 * * ~/l
 etsencrypt/renew_cert.sh 2>>/var/log/acme_tiny.log