Let's Encrypt certificate issuance and configuration

This tutorial does not use any script to configure the Let's Encrypt certificate. It is also helpful for novices to get familiar with the https configuration. Appears in the tutorial linpx.com The domain name needs to be replaced with the domain name you want to sign. In addition, the tutorial was written after the practice on AliCloud ECS. Follow the tutorial and you will be issued successfully.

The most suitable CentOS 7. x for the tutorial, because CentOS 6. x needs to upgrade Python to 2.7

grant a certificate

After entering the terminal with root permission, first stop nginx (required)

CentOS 6.x：

 service nginx stop

CentOS 7.x：

 systemctl stop nginx

Then obtain the source code of Let's Encrypt

 git clone  https://github.com/letsencrypt/letsencrypt cd letsencrypt

Then issue a certificate to your website

 ./letsencrypt-auto certonly --standalone --email i@linpx.com -d linpx.com -d www.linpx.com

！ Note! Meaning!

 (from  https://pypi.python.org/simple/python2-pythondialog/ ) failed: <urlopen error [Errno -2] Name or service not known>

If this error occurs, the following configuration is required

 mv /etc/resolv.conf /etc/resolv.conf.backup && vim /etc/resolv.conf

After opening the resolv.conf file, there should be nothing in it

Press i Enter editing mode, copy the following contents, save and exit

 nameserver 223.5.5.5 nameserver 8.8.8.8

Then re execute and issue a certificate to your website

 ./letsencrypt-auto certonly --standalone --email i@linpx.com -d linpx.com -d www.linpx.com

This is mainly to fix the DNS resolution failure on the server

After completing the above operations, Let's Encrypt has issued a certificate for your website

You can enter the following command to view

 Ls/etc/letsencrypt/live/linpx.com (the domain name here is your issuing certificate domain name)

There will be four files in it

 cert.pem  chain.pem  fullchain.pem  privkey.pem

The first two are for Apache, and the last two are for Nginx

Configure Nginx

By default, you have enabled https, just replacing the certificate···

Open the Nginx conf configuration file corresponding to the website

Suppose my profile is in /usr/local/nginx/conf/vhost Contents of

 vim /usr/local/nginx/conf/vhost/www.linpx.com.conf

After opening, press i Enter edit mode and find

 ssl_certificate .............; ssl_certificate_key ............;

Modify to

 ssl_certificate /etc/letsencrypt/live/linpx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/linpx.com/privkey.pem;

Don't forget to start Nginx

CentOS 6.x：

 service nginx start

CentOS 7.x：

 systemctl start nginx

So far, the certificate issuance and configuration of Let's Encrypt have been completed. Refresh your website and you will see the green locks

automatic renewal

Generally, the validity period of Let's Encrypt's certificate is only 90 days, so you need to set an automatic renewal task

Install crontabs first. Generally, you will be prompted that they have been installed

 yum -y install crontabs

then

 crontab -e

Add the following content in a new line, where the directory /root/letsencrypt It is the directory where the letsencrypt configuration file was downloaded in the previous step

CentOS 6.x：

 0 0 1 * * service nginx stop && ./ root/letsencrypt/letsencrypt-auto certonly --renew-by-default --email i@linpx.com -d linpx.com -d www.linpx.com && service nginx start

CentOS 7.x：

 0 0 1 * * systemctl stop nginx && ./ root/letsencrypt/letsencrypt-auto certonly --renew-by-default --email i@linpx.com -d linpx.com -d www.linpx.com && systemctl start nginx

After adding, save and exit to view the scheduled task list

 crontab -l

View and display that the scheduled task has been added successfully···

In this way, the server will automatically renew your Let's Encryption certificate on the first day of each month.

The auxiliary tutorials are as follows:

reference resources

www.pckr.co.uk/letsencrypt-with-nginx-2/
seryo.net/lets-encrypt-concise-tutorial. Seryo
imququ.com/post/letsencrypt-certificate.html

This article is written by Chakhsu Lau Creation, adoption Knowledge Sharing Attribution 4.0 International License Agreement.
All articles on this website are original or translated by this website, except for the reprint/source. Please sign your name before reprinting.

Responses

xianghe

Hello, would you like to ask whether this certificate can not be made on the LAN, for example, whether the domain name filled in must be accessible on the public network? I also want to use this as a certificate now. Could you please tell me what I need to prepare?

Nov 10, 2016 Reply
1. Chakhsu Lau
  
  @xianghe
  Let's forget about the LAN. Just give yourself a visa, and then verify the certificate on all computers in the LAN.
  
  Nov 10, 2016 Reply
  1. xianghe
    
    @Chakhsu Lau
    Mm-hmm. I've been misled for the past two days. I've been tossing around on the LAN and the result always prompts me that the domain name resolution is wrong. I saw your personal website today and did a good job. I want to build my own website. I bought a. cn domain name in the evening, and now I want to buy a virtual machine. But I read on the Internet that the domain name needs to be filed, and the filing time will take several days. I want to ask if I want to buy a virtual machine and build a website now, can others access it through the domain name? (Can you share some of your experience in building a website? This is my QQ mailbox. I hope to add a friend if possible)
    
    Nov 10, 2016 Reply
Haowu Ge

With the - a webroot module, there is no need to stop the service

May 24, 2016 Reply
Aga

Verification quality prompt:
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_RSA_WITH_RC4_128_SHA (0x5)
These two items are unsafe
RC4 Yes INSECURE (bright red)
How do you want to fix it?

Apr 30, 2016 Reply
1. Chakhsu Lau
  
  @Aga
  For the encryption suite, the following one is CloudFlare, and I also use this one.
  EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:! MD5;
  
  May 3, 2016 Reply
  1. Aga
    
    @Chakhsu Lau
    Thank you very much. Is there any Penguin email that I can add? My E-mail: ruianren025 {@}163.com , you can communicate when you are free
    In addition, friends who need to be set as VIM editor when running crontabs can use {This is permanently effective}:
    Sudo update alternatives -- config editor (then select the editor)
    sudo /etc/init.d/cron restart
    
    May 7, 2016 Reply
Mark

The picture on the blog home page has disappeared!

Feb 27, 2016 Reply
1. Chakhsu Lau
  
  @Mark
  My blog picture disappears? All the pictures on this website use the CDN of Qiniu, and it should be the problem of Qiniu that the pictures cannot be seen.
  
  Feb 28, 2016 Reply
Mark

For personal testing, the Nginx server needs to be shut down before the certificate can be re issued. Is it because my configuration is incorrect? Otherwise, Let ` s Encrypt will say that port 80 443 is occupied!

Feb 23, 2016 Reply
1. Chakhsu Lau
  
  @Mark
  0 0 1 root /root/letsencrypt systemctl stop nginx && ./ letsencrypt-auto certonly --renew-by-default --email iii@lightfish.top -d lightfish.top -d www.lightfish.top && systemctl start nginx
  Do you want to try this automatic renewal
  
  Feb 23, 2016 Reply
2. Chakhsu Lau
  
  @Mark
  Maybe I didn't write very well when I wrote regular tasks. I'm changing it now. Thanks for your feedback!
  
  Feb 23, 2016 Reply
Andrew

Add when available

Feb 22, 2016 Reply