Free HTTPS certificate (let's Encrypt) application and configuration

Before you want to apply for a free HTTPS certificate operation procedure is quite troublesome, today saw someone in the discussion, searched for a bit. Find that the application steps are much simpler now.

1. Download Certbot

clone https://github.com/certbot/certbotcd certbot./certbot-auto --help

Unzip open execution will have the relevant hints

2. Generate a FREE certificate

-d 网站域名./certbot-auto certonly --webroot --agree-tos -v -t --email [email protected] -w /path/to/your/web/root -d note.crazy4code.com

Note that the default is automatically generated to the / site root /.well-known/acme-challenge folder, and then the shell script will access the website domain name /. Well-known/acme-challenge exists to determine your ownership of the site

For example: My domain name is note.crazy4code.com then I have to make sure that the name of the . well-known/acme-challenge/ Directory is accessible and can be manipulated chmod 777- R/ website root directory /.well-known/acme-challenge

If you return to the normal to confirm your ownership of the site, you will be able to build successfully, after the completion of this directory will be emptied

3. Obtaining a Certificate

If the above steps are normal, the shell script will show the following information:

and chain have been saved at/etc/letsencrypt/live/网站域名/fullchain.pem...

4. Generate Dhparams

Using the OpenSSL tool to generate dhparams

openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

5. Configure Nginx

Open the Nginx server configuration file by adding the following settings:

listen 443ssl on;ssl_certificate /etc/letsencrypt/live/网站域名/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/网站域名/privkey.pem;ssl_dhparam /etc/ssl/certs/dhparams.pem;ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers HIGH:!aNULL:!MD5;

And then restart the Nginx service.

6. Force Jump HTTPS

HTTPS By default is listening on port 443, the default is 80 port if HTTPS access is not turned on. If you are sure that the site on port 80 will support HTTPS, add the following accessory to automatically redirect to HTTPS

server {    listen 80;    server_name your.domain.com; return 301 https://$server_name$request_uri;}

7. Certificate Updates

The free certificate is valid for only 90 days, and you need to update renew manually. Just let's encrypt also has a let's monitor free service, registered account to add the domain name that needs to be monitored, the system will send a reminder email when the certificate expires immediately, very convenient. After receiving the mail to the background to execute renew can, if the prompt successful means renew success

./certbot-auto renew



实际操作：

[[email protected] html]# chmod 777 -R .well-known/

./certbot-auto certonly --webroot --agree-tos -v -t --email [email protected]***ang.cn -w /var/www/html -d test.b****wkd.com

IMPORTANT NOTES:

-congratulations! Your certificate and chain has been saved at:
/etc/letsencrypt/live/test.bjy***d.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/test.bj***d.com/privkey.pem
Your cert would expire on 2018-03-14. To obtain a new or tweaked
Version of this certificate in the future, simply run Certbot-auto
Again. To non-interactively renew *all* of your certificates, run
"Certbot-auto Renew"

Free HTTPS certificate (let's Encrypt) application and configuration