Use Let & amp; #39; s Encrypt to protect your packets

Use Let & #39; s Encrypt to protect your packets

Let's Encrypt is a free SSL Certificate launched at the end of last year, and there is basically no limit to applying for this certificate, as long as you prove that you are the domain name owner, you can apply for an SSL Certificate for your domain name.

Today I will apply for a trendy Let's Encrypt certificate for my wiki. ioin. in.

First, I used acme-tiny, an extension developed by a third party. The method provided by Let's Encrypt is troublesome, And the acme-tiny tool allows users to run several commands to generate the required certificate.

Download acme-tiny: https://github.com/diafygi/acme-tiny

First, generate a user private key: account. key, acme-tiny. Use this certificate to log on to Let's Encrypt. Generate a domain name private key, domain. key

1 openssl genrsa 4096> account. key 2 openssl genrsa 4096> domain. key

 

 

Then, use the ACME protocol to generate domain. csr for domain. key. If you only have one domain name that requires ssl, you only need to execute the following statement:

1 openssl req-new-sha256-key domain. key-subj "/CN = yoursite.com"> domain. csr

If you have multiple domain names, such as www.xxx.com and xxx.com, run the following statement:

1 openssl req-new-sha256-key domain. key-subj "/"-reqexts SAN-config <(cat/etc/ssl/openssl. cnf <(printf "[SAN] \ nsubjectAltName = DNS: yoursite.com, DNS: www.yoursite.com")> domain. csr

 

My wiki. ioin. in is a Single Domain Name Certificate, So execute the following statement:

 

Let's Encrypt has a variety of methods to verify whether you are the owner of the domain name, And the acme-tiny Tool uses the simplest method, that is, http File verification.
Simply put, a verification file is generated and stored at http://xxxx.com/.well-known/acme-challenge/. let's Encrypt officially verifies whether the file exists and the content is correct. If everything is correct, the domain name is yours.

So here, I created a new/home/www/challenges/directory, pointing its alias to/. well-known/acme-challenge /. In this way, the files I write in the challenges directory can be accessed through the http://xxxx.com/.well-known/acme-challenge. The nginx configuration is as follows:

 

Then, run the acme_tiny.py script:

1 python acme_tiny.py -- account-key/etc/ssl/letsencrypt/account. key -- csr/etc/ssl/letsencrypt/domain. csr -- acme-dir/home/www/challenges/>/etc/ssl/letsencrypt/signed. crt

 

Change the -- account-key value to the account you generated. key Path; -- change the csr value to your generated domain. the csr path; -- change the value of acme-dir to the folder where I want to write the verification file.
Finally, signed. crt is successfully generated. this is my domain name certificate:

 

In nginx, you also need to put the intermediate Certificate of Let's Encrypt behind your own certificate to form a certificate chain chained. pem:

1 wget-O-https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem> intermediate. pem 2 cat signed. crt intermediate. pem> chained. pem

 

In addition, a strong dh needs to be generated. (Not too many digits! I have generated a 4096-bit dh, which has not been generated in half an hour ). About dh security, you can follow this site: https://weakdh.org, this article: https://weakdh.org/sysadmin.html

1 openssl dhparam-out dhparam. pem 2048

 

After the above private key, certificate, and dh are generated, the nginx configuration file is written:

01 server 02 {03 listen 80; 04 listen 443 ssl; 05 # listen [:]: 80; 06 server_name wiki. ioin. in; 07 index index.html index.htm; 08 09 ssl on; 10 ssl_certificate/etc/ssl/letsencrypt/chained. pem; 11 ssl_certificate_key/etc/ssl/letsencrypt/domain. key; 12 ssl_session_timeout 5 m; 13 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 14 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256: DH $15 ssl_session_cache shared: SSL: 50 m; 16 ssl_dhparam/etc/ssl/letsencrypt/dhparam. pem; 17 ssl_prefer_server_ciphers on; 18... the rest of your config 19}

 

Restart nginx, everything is fine: https://wiki.ioin.in

 

In addition, we can view the expiration date of the Certificate. Calculate That this certificate is only three months, that is, one quarter. When the certificate is about to expire, we need to issue a new certificate.
The process of re-issuing the certificate is relatively simple. You only need to re-Execute acme_tiny.py.

We can write the re-issue process in a script:

1 #! /Usr/bin/sh 2 python/path/to/acme_tiny.py -- account-key/path/to/account. key -- csr/path/to/domain. csr -- acme-dir/var/www/challenges/>/tmp/signed. crt | exit 3 wget-O-https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem> intermediate. pem 4 cat/tmp/signed. crt intermediate. pem>/path/to/chained. pem 5 service nginx reload

 

Then add the script to cron and execute it once a month:

1 # example line in your crontab (runs once per month) 2 0 0 1 **/path/to/renew_cert.sh 2>/var/log/acme_tiny.log

No manual operation is required ~

Finally, test the SSL quality: https://www.ssllabs.com/ssltest/