Let's Encrypt is a free SSL certificate issuance program is the fire, automated certificate issuance, certificate valid for 90 days. Let's Encrypt has released a tool certbot, use this tool to generate a certificate, the certificate renewal is very simple.
The following method is generated using a wildcard domain name certificate with certbot (Centos7 for example):
carried out:
certbot certonly -d *.domain.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Please deploy a DNS TXT record under the name _acme-challenge.domain.com with the following value: ************* Before continuing, verify the record is deployed.
When prompted, where the need to manually add the local DNS domain name parsing TXT, wait a few minutes after the completion of the entry into force, and use the nslookup command to check whether the effect:
nslookup -q=TXT _acme-challenge.domain.com
If TXT resolve has taken effect, type Enter in certbot command line interface, verify, after the certificate generation success tips below as follows:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2019-11-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
SLB Ali cloud and then back in, find a place to add a certificate, a certificate has been selected to add.
The cat command to view the public, private, and copied to the cloud Ali add certificates interface.
View public key:
cat /etc/letsencrypt/live/domain.com/fullchain.pem
Ali cloud requires a private key is beginning ----- BEGIN RSA PRIVATE KEY -----, so you need to deal with the following private key file, convert RSA private key, execute the following command:
openssl rsa -in /etc/letsencrypt/live/domain.com/privkey.pem -out /etc/letsencrypt/live/domain.com/privkey.rsa.pem
View the private key:
cat /etc/letsencrypt/live/domain.com/privkey.rsa.pem
If you need an SSL certificate after renewal, simply execute the following command on the server, and follow the prompts:
certbot renew
The following are certbot-auto method of using content from the network, for reference for reference:
Installation:
If CentOS 6,7, to execute: yum install epel-release
CD / the root /
wget --no-Check-Certificate https://dl.eff.org/certbot-auto
the chmod + X ./certbot-auto
./certbot-auto -n
./certbot-auto only used -n installation dependencies can skip directly to the following step of generating a certificate, VPS or domestic use it is recommended to modify the server for domestic pip source.
Single domain name to generate a certificate:
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-Email --webroot -d -w /home/wwwroot/www.vpser.net the WWW. vpser.net
Multi-domain single directory to generate a single certificate :( website that is multiple domain names use the same certificate)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/wwwroot/www.vpser.net -d www.vpser.net -d bbs.vpser.net
Multi-domain multi-directory generate a certificate that is generated once a certificate :( multiple domain names)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/wwwroot/www.vpser.net -d www.vpser.net -d bbs.vpser.net -w /home/wwwroot/lnmp.org -d www.lnmp.org -d lnmp.org
Certificate renewal
Renewal cerrbot original easier, because the certificate only 90 days ratio, it is recommended to use crontab automatic renewal:
crontab Lane add the following rules: 0 3 * / 5 * * / root / certbot-auto renew --disable-hook-validation --renew-hook "/etc/init.d/nginx reload" will be executed every 5 days so last renewal operation of all domain names. Of course, time can also be adjusted on their own, do not be too frequently recommended, because they have to limit the number of requests, if you need to update can add --force-renew command parameters in front.