Examples of how to get a permanent free SSL certificate through Let's Encrypt. Tutorials and FAQs

The emergence of Let's Encrypt free SSL certificates will also have a big impact on traditional merchants that provide paid SSL certificate services. So far, Let's Encrypt has been cross-signed by IdenTrust, which means it can be applied and supported by mainstream browsers including FireFox and Chrome. Although it is currently in the public beta stage, there are also many users working on their own website projects. officially used in China.

Although the current Let's Encrypt free SSL certificate is valid for 90 days by default, we can also automatically renew it upon expiration, which does not affect our attempts and use.

First, preparations before installing Let's Encrypt

According to official requirements, we need system support before deploying Let's Encrypt free SSL certificates on VPS and servers. Python 2.7 or above and supports GIT tools.

This needs to be installed and upgraded according to our different system versions, because the versions provided by some service providers are fully compatible, especially the Debian environment compatibility is better than CentOS.

For example, CentOS 6 64-bit environment does not support GIT. We can also refer to "Linux CentOS 6 64-bit system installation Git tool environment tutorial" and "9 steps to upgrade CentOS5 system Python version to 2.7" for installation and upgrade.

The simplest thing is that the Debian environment does not support it. You can run "apt-get -y install git" to directly install support. If it is CentOS, directly run "yum -y install git-core" for support.

This specific problem is discussed and searched for solutions, because each environment and merchant distribution may be different.

The environment I use is centos7, so I will take this as an example.

Second, quickly obtain Let's Encrypt free SSL certificate

Obtaining the certificate and layout is still relatively complicated. Let's Encrypt must have considered the popularization of HTTPS to make it more popular. Users simply obtain and deploy SSL certificates, so they can use the following simple one-click deployment to obtain the certificate.

git clone https://github.com/letsencrypt/letsencryptcd letsencrypt
./letsencrypt-auto certonly --standalone --email admin@***.com -d ***.com -d www.***.com

Then execute the above script. We need to change the domain name to what we need to deploy based on our actual site conditions.

I use nginx proxy server

A little attention: If nginx is started, the certificate may not be generated , please close nginx before executing the above script.

After executing the script, the option Agree or Cancel will appear

Fill in A and press Enter

Third, Let's Encrypt free SSL certificate acquisition and application

After completing the generation of Let's Encrypt certificate, we will in "/etc/letsencrypt/live/** *.com/"There are 4 files in the domain name directory that are the generated key certificate files.

cert.pem - Apache server-side certificate

chain.pem - Apache root certificate and relay certificate
fullchain.pem - ssl_certificate file required by Nginx
privkey.pem - Security certificate KEY File

The Nginx environment I use requires the use of two certificate files, fullchain.pem and privkey.pem.

ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem;

In the Nginx environment, just set the corresponding ssl_certificate and ssl_certificate_key paths to the two files we generated. It is best not to move or copy the files. , because when renewing, you can directly renew the directory file generated, and there is no need to manually copy it.

Fourth, solve the validity period problem of Let's Encrypt free SSL certificate

We generate from As you can see from the file, the Let's Encrypt certificate is valid for 90 days and needs to be updated and renewed manually.

./letsencrypt-auto certonly --renew-by-default --email admin@***.com -d ***.com -d www.***.com

In this way, we can solve the renewal problem by executing it again within 90 days, so that we can continue to use it for 90 days. If we are afraid of forgetting, we can also create a scheduled execution task, such as once a month.

Fifth, summary about Let's Encrypt free SSL certificate

A - Domain name DNS and resolution issues. When configuring Let's Encrypt free SSL certificate, the domain name must be resolved to the current VPS server, and the DNS must use the overseas domain name DNS. If you use the domestic free DNS, it may cause an error in obtaining it.

B - Before installing Let's Encrypt and deploying it, the server needs to support PYTHON2.7 and GIT environment, otherwise it cannot be deployed.

C - You need to close the nginx proxy server and execute the generate certificate command to successfully generate the certificate.

D - Let's Encrypt is free for 90 days by default and requires manual or automatic renewal before you can continue to use it.

The above is the detailed content of Examples of how to get a permanent free SSL certificate through Let's Encrypt. Tutorials and FAQs. For more information, please follow other related articles on the PHP Chinese website!