Let's Encrypt As a public and free SSL project, it has been gradually spread and used by users. It was initiated by Mozilla, Cisco, Akamai, IdenTrust, EFF and other organizations. Its main purpose is to promote the transition from HTTP to HTTPS. At present, more and more businesses have joined and sponsored support.
Let's Encrypt Free SSL The emergence of certificates will also hit businesses that provide traditional paid SSL certificate services. So far, Let's Encrypt has obtained the IdenTrust cross signature, which means that it can be applied and support the compatibility and support of mainstream browsers, including FireFox and Chrome. Although it is currently in the public beta phase, many users have officially used it in their own website projects.
On Black Friday this year, various promotional activities of Namecheap also included an SSL certificate with an annual fee of 0.88 dollars. At that time, Lao Zuo also bought two backup studies and put them on some websites to see the effect (it is said that Google, an English website, would like them). Leng Yu suggested that they use them directly at that time Let's Encrypt Free SSL After all, many large companies support it, which is more reliable than the free SSL certificate provided by some small companies.
Although the current Let's Encryption free SSL certificate is 90 days by default, we can also automatically renew it when it expires, which will not affect our attempts and use. In order to consider the authenticity of the article and its future practicality, Lao Zuo plans to use some time to show the process of applying the Let's Encryption certificate in sections. This article shares the application method tutorial.
First, preparations before installing Let's Encrypt
According to the official requirements, before we deploy Let's Encrypt free SSL certificates on VPS and servers, we need the system to support Python 2.7 or above and GIT tools. This needs to be installed and upgraded according to our different system versions, because the version compatibility provided by some service providers is perfect, especially the Debian environment compatibility is better than CentOS.
For example, CentOS 6 64 bit environment does not support GIT, we can also refer to“ Linux CentOS 6 64 bit system installation Git tool environment tutorial And Step 9 Upgrade the Python version of CentOS5 system to 2.7 "Install and upgrade. The simplest thing is that Debian environment does not support it, and it can run" apt-get -y install git "Direct installation support, if CentOS is running directly" yum -y install git-core "Yes. This specific problem is discussed and the solution is searched, because each environment and merchant distribution may be different. In this article, Lao Zuo uses the debian 7 environment.
Second, quickly obtain Let's Encrypt free SSL certificate
In his previous blog posts, Lao Zuo also shared several articles about the process of SSL deployment. I was also dizzy. Obtaining certificates and layout are relatively complex. Let's Encrypt must consider that promoting the popularity of HTTPS will make it easy for users to obtain and deploy SSL certificates, so we can use the following simple one click deployment to obtain certificates.
PS: When obtaining the certificate file of a site, we need to install PYTHON2.7 and GIT, and resolve the domain name to the current VPS host IP.
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone --email admin@laozuo.org -d laozuo.org -d www.laozuo.org
Then execute the above script. We need to change the domain name to the one we need to deploy according to our actual site situation.
When you see this interface, you can enter Agree directly.
Then you can see this interface to indicate that the deployment is successful. At present, according to everyone's feedback and Laozuo's test, if the domain name is domestic DNS, including the third party DNSPOD, the domain name information may not be available.
Here we can see the error message "The server could not connect to the client to verify the domain", including other prompt errors, "The server experienced an internal error:: Error creating new registration". When we are in the post office, we should not use the domestic free post office. Therefore, if we are an overseas domain name, we will use the DNS provided by the domain name first.
Third, Let's Encrypt free SSL certificate acquisition and application
After completing the generation of Let's Encrypt certificate, we will have four files in the domain name directory "/etc/letsencrypt/live/laozuo. org/" that are the generated key certificate files.
Cert.pem - Apache server certificate
Chain.pem - Apache root certificate and relay certificate
Fullchain.pem - The ssl_certificate file required by Nginx
Privkey.pem - security certificate KEY file
If we use the Nginx environment, we need to use the fullchain.pem and privkey.pem certificate files when deploying Nginx (refer to: LNMP One Key Package Environment Installing SSL Security Certificates and Deploying HTTPS Website URL Process )。 In this article, Lao Zuo will not demonstrate the installation of Let's Encrypt certificate in detail. Later, he will try to deploy the installation of Nginx and Apache certificates in detail in another article.
ssl_certificate /etc/letsencrypt/live/laozuo.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/laozuo.org/privkey.pem;
For example, in the Nginx environment, we only need to set the corresponding ssl_certificate and ssl_certificate_key paths to the two files we generated. It is better not to move and copy files, because the directory files generated during renewal can be directly renewed, and manual copying is not required.
Fourth, solve the problem of the validity period of Let's Encrypt free SSL certificate
We can see from the generated file that the Let's Encrypt certificate is valid for 90 days and needs to be renewed manually.
./letsencrypt-auto certonly --renew-by-default --email admin@laozuo.org -d laozuo.org -d www.laozuo.org
In this way, we can solve the renewal problem by executing it again within 90 days, so that we can continue to use it for 90 days. If we are afraid of forgetting, we can also make it into regular task execution, such as once a month.
V. Summary of Let's Encrypt Free SSL Certificate
Through the learning and application of the above steps, we must have learned how to use Let's Encryption to generate and obtain SSL certificate files for free. With the popularization of Let's Encryption, SSL will be free in the future, because most mainstream browsers support it and more mainstream businesses support and sponsor it. HTTPS is also a trend in the future. During the execution of Let's Encrypt, we need to solve several problems.
A - Domain name DNS and resolution problems. When configuring the Let's Encrypt free SSL certificate, the domain name must be resolved to the current VPS server, and the DNS must use the overseas domain name DNS. If you use the domestic free DNS, you may not be able to obtain an error.
B - Before installing Let's Encryption, the server must support PYTHON2.7 and the GIT environment, or it cannot be deployed.
C - Let's Encrypt is 90 days free by default, and can continue to be used only after manual or automatic renewal.
