Request a free https certificate through Let's Encrypt.
Environment: centos 7+apache/nginx
This article uses letsencrypt.org to recommend Certbot ACME to obtain certificates.
Get Certbot
Visit https://certbot.eff.org/ and follow the prompts to select an environment.
This article is https://certbot.eff.org/lets-encrypt/centosrhel7-apache , follow the prompts to install.
installation steps
1. 安装 EPEL (Extra Packages for Enterprise Linux)
yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
2. Install Certbot
yum install certbot-apache
certbot --apache
3. Start applying for a certificate
# 注xxxlab.cn请根据自己的域名自行更改
certbot -i nginx -d "*.xxxlab.cn" -d xxxlab.cn --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns certonly
The application process interaction is as follows:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxxlab.cn
dns-01 challenge for xxxlab.cn
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name (第一次在DNS上配置)
_acme-challenge.xxxlab.cn with the following value:
7rBRoMUcyphsdfdsfsfdfsaa3332rsdfsaOeMv1Tfpk-6phU
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name (第二次在DNS上配置并保留第一次配置)
_acme-challenge.xxxlab.cn with the following value:
FjPeO3aHA2GXXhAiknu4d0sfdsdf23r223uXIff--E4
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxxlab.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxxlab.cn/privkey.pem
Your cert will expire on 2018-06-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Note that the process requires configuring _acme-challenge.xxxlab.cn twice on DNS with the values shown above.
Test with dig
dig _acme-challenge.xxxlab.cn txt
The result is as follows:
......
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.xxxlab.cn. IN TXT
;; ANSWER SECTION:
_acme-challenge.xxxlab.cn. 86400 IN TXT "7rBRoMUcyphsdfdsfsfdfsaa3332rsdfsaOeMv1Tfpk-6phU"
_acme-challenge.xxxlab.cn. 86400 IN TXT "FjPeO3aHA2GXXhAiknu4d0sfdsdf23r223uXIff--E4"
.........
4. Test and Auto-Renew Certificate
Test Auto-Renewal Certificates
certbot renew --dry-run
If the above test is normal, the following commands can be automatically executed through a timer or other methods
certbot renew
I have not tested this step.
5. Department example
- nginx
......
server {
server_name xxxlab.cn;
listen 443 http2 ssl;
ssl on;
ssl_certificate /etc/cert/xxxlab.cn/fullchain.pem;
ssl_certificate_key /etc/cert/xxxlab.cn/privkey.pem;
ssl_trusted_certificate /etc/cert/xxxlab.cn/chain.pem;
location / {
proxy_pass http://10.10.10.10:8080;
}
}
......
2)apache
.....
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/cert/xxxlab.cn/fullchain.pem
SSLCertificateKeyFile /etc/cert/xxxlab.cn/privkey.pem
......
use http authentication
The above is to use dns as the authentication to obtain the wildcard certificate. In the early days, the author used the http authentication method to configure the prompt authentication information under the server. The command is as follows
letsencrypt-auto certonly --email [email protected] -d login.xxxlab.cn -a manual
Email [email protected] for certificate expiration reminder.
other
- The host you apply for must be accessible to the Internet, and the DNS must be accessible to the Internet.
- xxxlab.cn is a test domain name, please change it according to your own domain name.
- Why use https, refer to link 2 for description.
- Has this configuration caused other security issues, including the hidden dangers of this open source software? Welcome to discuss and click to discuss
refer to
Request a Let's Encrypt wildcard HTTPS certificate
Let's Encrypt complete guide to adding HTTPS to your website certbot
Source: Request a free https certificate through Let's Encrypt