Practical application of Let's Encrypt permanent free SSL certificate process tutorial and FAQs, encryptssl
The emergence of Let's Encrypt free SSL certificates will also be a great blow to Traditional merchants that provide paid SSL Certificate Services. So far, Let's Encrypt has obtained the IdenTrust cross signature, which means it can be applied and supports compatibility and support of mainstream browsers including FireFox and Chrome. Although it is currently in the public beta stage, however, many users are using it in their own website projects.
Although the current Let's Encrypt free SSL certificate is valid for 90 days by default, but we can also renew it automatically upon expiration, without affecting our attempts and use.
1. Preparations before installing Let's Encrypt
According to official requirements, before we deploy the Let's Encrypt free SSL certificate on VPS and servers, the system must support Python2.7 or later versions and support GIT tools.
This requires installation and upgrade based on different system versions, because some service providers provide well-compatible versions, especially debian environment compatibility is better than CentOS.
For example, CentOS 6 64-bit environments do not support GIT, for more information, see "Linux CentOS 6 64-bit system installation Git tool environment tutorial" and "9 steps to upgrade CentOS 5 to Python 2.7.
The simplest is that the Debian environment is not supported. You can run "apt-get-y install git" to directly install the support. If CentOS runs "yum-y install git-core" directly.
The specific problem is discussed and searched for solutions, because each environment and merchant release version may be different.
The environment I use is centos7, so this is an example.
2. Get the free SSL Certificate of Let's Encrypt quickly
It is still complicated to obtain the certificate and layout. Let's Encrypt certainly takes into account that the popularization of HTTPS will allow users to simply obtain and deploy the SSL certificate, therefore, you can use the following simple one-click deployment to obtain the certificate.
git clone https://github.com/letsencrypt/letsencryptcd letsencrypt./letsencrypt-auto certonly --standalone --email admin@***.com -d ***.com -d www.***.com
Then execute the above script. We need to replace the domain name with the one we need to deploy based on the actual site conditions.
I use the nginx proxy server.
Pay attention: If nginx cannot generate a certificate when it is started, disable nginx and execute the above script.
After the script is executed, the option Agree or Cancel appears.
Enter A and press Enter.
Third, Let's Encrypt free SSL Certificate acquisition and Application
After the Let's Encrypt certificate is generated, we will go to "/etc/letsencrypt/live /***. four files under the com/"Domain Name directory are generated key certificate files.
Cert. pem-Apache server certificate
Chain. pem-Apache Root Certificate and relay Certificate
Ssl_certificate file required by fullchain. pem-Nginx
Privkey. pem-security certificate KEY file
In my Nginx environment, you need to use the fullchain. pem and privkey. pem certificates.
ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem;
In the Nginx environment, you only need to set the corresponding ssl_certificate and ssl_certificate_key paths to the two files we generated. It is best not to move or copy files, because the generated directory file can be directly renewed during the renewal, and no manual copy is required.
4. Fixed the validity period of the Free SSL Certificate for Let's Encrypt
We can see from the generated file that the Let's Encrypt certificate is valid for 90 days and can be updated manually.
./letsencrypt-auto certonly --renew-by-default --email admin@***.com -d ***.com -d www.***.com
In this way, we can execute it again within 90 days to solve the problem of renewal, so that we can continue to use it for 90 days. If we are afraid of forgetting it, we can also create a scheduled task, for example, once a month.
Fifth, Let's Encrypt free SSL Certificate Summary
A-Domain Name DNS and resolution problems. When configuring the free SSL Certificate for Let's Encrypt, the domain name must be resolved to the current VPS server, and the DNS must use overseas domain name DNS. If you use free DNS in China, the system may fail to get the certificate.
B-the server must support PYTHON2.7 and the GIT environment before deploying Let's Encrypt.
C-you must disable the nginx proxy server and run the certificate generation command to generate the certificate successfully.
D-Let's Encrypt is free for 90 days by default, and can be used only after manual or automatic renewal.