Use Let & amp; #39; s Encrypt to protect your packets

Source: Internet
Author: User
Tags free ssl free ssl certificate letsencrypt

Use Let & #39; s Encrypt to protect your packets

Let's Encrypt is a free SSL Certificate launched at the end of last year, and there is basically no limit to applying for this certificate, as long as you prove that you are the domain name owner, you can apply for an SSL Certificate for your domain name.

Today I will apply for a trendy Let's Encrypt certificate for my wiki. ioin. in.

First, I used acme-tiny, an extension developed by a third party. The method provided by Let's Encrypt is troublesome, And the acme-tiny tool allows users to run several commands to generate the required certificate.

Download acme-tiny:

First, generate a user private key: account. key, acme-tiny. Use this certificate to log on to Let's Encrypt. Generate a domain name private key, domain. key

1 openssl genrsa 4096> account. key 2 openssl genrsa 4096> domain. key



Then, use the ACME protocol to generate domain. csr for domain. key. If you only have one domain name that requires ssl, you only need to execute the following statement:

1 openssl req-new-sha256-key domain. key-subj "/CN ="> domain. csr

If you have multiple domain names, such as and, run the following statement:

1 openssl req-new-sha256-key domain. key-subj "/"-reqexts SAN-config <(cat/etc/ssl/openssl. cnf <(printf "[SAN] \ nsubjectAltName = DNS:, DNS:")> domain. csr


My wiki. ioin. in is a Single Domain Name Certificate, So execute the following statement:


Let's Encrypt has a variety of methods to verify whether you are the owner of the domain name, And the acme-tiny Tool uses the simplest method, that is, http File verification.
Simply put, a verification file is generated and stored at let's Encrypt officially verifies whether the file exists and the content is correct. If everything is correct, the domain name is yours.

So here, I created a new/home/www/challenges/directory, pointing its alias to/. well-known/acme-challenge /. In this way, the files I write in the challenges directory can be accessed through the The nginx configuration is as follows:


Then, run the script:

1 python -- account-key/etc/ssl/letsencrypt/account. key -- csr/etc/ssl/letsencrypt/domain. csr -- acme-dir/home/www/challenges/>/etc/ssl/letsencrypt/signed. crt


Change the -- account-key value to the account you generated. key Path; -- change the csr value to your generated domain. the csr path; -- change the value of acme-dir to the folder where I want to write the verification file.
Finally, signed. crt is successfully generated. this is my domain name certificate:


In nginx, you also need to put the intermediate Certificate of Let's Encrypt behind your own certificate to form a certificate chain chained. pem:

1 wget-O-> intermediate. pem 2 cat signed. crt intermediate. pem> chained. pem


In addition, a strong dh needs to be generated. (Not too many digits! I have generated a 4096-bit dh, which has not been generated in half an hour ). About dh security, you can follow this site:, this article:

1 openssl dhparam-out dhparam. pem 2048


After the above private key, certificate, and dh are generated, the nginx configuration file is written:

01 server 02 {03 listen 80; 04 listen 443 ssl; 05 # listen [:]: 80; 06 server_name wiki. ioin. in; 07 index index.html index.htm; 08 09 ssl on; 10 ssl_certificate/etc/ssl/letsencrypt/chained. pem; 11 ssl_certificate_key/etc/ssl/letsencrypt/domain. key; 12 ssl_session_timeout 5 m; 13 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 14 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256: DH $15 ssl_session_cache shared: SSL: 50 m; 16 ssl_dhparam/etc/ssl/letsencrypt/dhparam. pem; 17 ssl_prefer_server_ciphers on; 18... the rest of your config 19}


Restart nginx, everything is fine:


In addition, we can view the expiration date of the Certificate. Calculate That this certificate is only three months, that is, one quarter. When the certificate is about to expire, we need to issue a new certificate.
The process of re-issuing the certificate is relatively simple. You only need to re-Execute

We can write the re-issue process in a script:

1 #! /Usr/bin/sh 2 python/path/to/ -- account-key/path/to/account. key -- csr/path/to/domain. csr -- acme-dir/var/www/challenges/>/tmp/signed. crt | exit 3 wget-O-> intermediate. pem 4 cat/tmp/signed. crt intermediate. pem>/path/to/chained. pem 5 service nginx reload


Then add the script to cron and execute it once a month:

1 # example line in your crontab (runs once per month) 2 0 0 1 **/path/to/ 2>/var/log/acme_tiny.log

No manual operation is required ~

Finally, test the SSL quality:



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.