1. Download the client and set the executable permission;
# Download the Certbot client (install epel first on Centos6 or above)
$ wget https://dl.eff.org/certbot-auto
# Make executable permissions
$ chmod a+x certbot-auto
2. Apply for a wildcard certificate to verify domain name ownership;
$ ./certbot-auto certonly -d "*.xxx.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Example:
$ ./certbot-auto certonly -d "*.zhangyuqing.me" -d "zhangyuqing.me" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt .org/directory
note:
certonly means plugins, Certbot has many plugins. Different plug-ins can apply for certificates, and users can choose according to their needs. -d Which hosts to request a certificate for. If it is a wildcard, enter *.xxx.com (replace with your own domain name according to the actual situation). --preferred-challenges dns-01, use DNS to verify domain name ownership. --server, the server used by the Let's Encrypt ACME v2 version is different from the v1 version, and needs to be specified explicitly.
There are two interactive prompts for entering the mailbox above:
Agree or not The Let's Encrypt protocol requires
asking whether to bind the domain name and machine (IP) to
confirm the agreement before proceeding.
3 Add DNS TXT record to generate SLL; (Do not press Enter before confirming that the TXT record is valid; it is required to configure DNS TXT record, so as to verify the domain name ownership, that is, to determine whether the certificate applicant has the ownership of the domain name.)
#Log in to the server log in to the console to get the record value
$ dig -t txt _acme-challenge.newyingyong.cn @8.8.8.8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.newyingyong.cn. IN TXT
;; ANSWER SECTION:
_acme-challenge.newyingyong.cn. 599 IN TXT "记录值"
After the confirmation takes effect, press Enter to continue execution, and finally output the content:
4. To verify the certificate information, enter the following command:
$ openssl x509 -in /etc/letsencrypt/live/xxx.com/cert.pem -noout -text
5. Modify apache configuration
Apache also needs to modify the apache configuration file /usr/local/apache/conf/httpd.conf after generating the certificate, look for httpd-ssl and remove the preceding #.
Then execute:
Apache 2.4 as follows:
cat >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
SSLProxyCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Mutex sysvsem default
SSLStrictSNIVHostCheck on
EOF
And add the configuration file of the SSL part below the last </VirtualHost> of the corresponding apache virtual host configuration file:
<VirtualHost *:443>
DocumentRoot /home/wwwroot/www.vpser.net #Website directory
ServerName www.vpser.net:443 #Domain name
ServerAdmin [email protected] #Email
ErrorLog "/home/wwwlogs/www.vpser.net -error_log"
#Error logCustomLog "/home/wwwlogs/www.vpser.net-access_log" common #Access logSSLEngine
on
SSLCertificateFile /etc/letsencrypt/live/www.vpser.net/fullchain.pem #Change the domain name inside Just
SSLCertificateKeyFile /etc/letsencrypt/live/www.vpser.net/privkey.pem #Change the domain name inside
<Directory "/home/wwwroot/www.vpser.net"> #Website directory
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
</Directory>
</VirtualHost>
Let's Encrypt official website https://certbot.eff.org/