Let's encrypt is currently a free SSL certificate.
After some practice, the certificate is finally installed correctly. Here is the record of the process and the problems encountered, which is convenient for friends in need.
surroundings
My environment is Alibaba Cloud ubuntu-14.04
download tool
Download certbot
Tool
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
Generate ssl certificate
service nginx stop
./certbot-auto certonly --standalone --email '[email protected]' -d 'example.com'
Modify example.com
your domain name
I waited for too long at Installing Python packages, and there was a problem with the installation after the interruption.
Use certbot-auto to install let s encrypt certificate error
You should consider upgrading via the ‘pip install --upgrade pip’ command.
Certbot has problem setting up the virtual environment.
We were not be able to guess the right solution from your pip output.
Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support resources at https://certbot.eff.org/support/ .
I want to install the cert directly, but I can't find the cert installation
after changing various sources, and then I find the following solutions
rm /root/.pip/pip.conf
Re-run after solving It ./certbot-auto certonly --standalone --email '[email protected]' -d 'example.com'
may take a few minutes. If a similar message appears, the generation is successful.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2019-09-18. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Configure nginx
Add the following code to the server of the nginx configuration file:
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Remember to modify example.com
your domain name
Restart nginx
service nginx start
If the startup fails, please execute the following command to check the configuration file
nginx -t
Open the website: https://example.com
If you see the green flag of the browser, congratulations on your successful setting!
Automatic certificate renewal
The certificate is valid for 90 days. Generally, when there are 30 or more days left, a reminder email will be sent to your email address when you applied for the certificate. At this time, you can create a crontab task to perform regular updates.
./certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" --force-renewal
The --pre-hook parameter indicates what to do before performing the update operation. Because I have a certificate in the --standalone mode, I need to stop the nginx service and release the port occupation.
–Post-hook This parameter indicates what to do after the execution of the update operation is completed, here is to restore the enablement of the nginx service
–force-renewal This parameter indicates the mandatory update of the certificate, if the certificate is not within the renewal period, the renew will not be updated of
This command is to update all deployed certificates. If you want to update a certificate individually, use the -d parameter, for example: -d 'example.com'
Detailed parameter commands can be found in this document