Request a free https certificate through Let's Encrypt

Request a free https certificate through Let's Encrypt.

Environment: centos 7+apache/nginx

This article uses letsencrypt.org to recommend Certbot ACME to obtain certificates.

Get Certbot

Visit https://certbot.eff.org/ and follow the prompts to select an environment.

This article is https://certbot.eff.org/lets-encrypt/centosrhel7-apache , follow the prompts to install.

installation steps

1. 安装 EPEL (Extra Packages for Enterprise Linux)

yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

2. Install Certbot

yum install certbot-apache
certbot --apache

3. Start applying for a certificate

# 注xxxlab.cn请根据自己的域名自行更改
certbot -i nginx -d "*.xxxlab.cn" -d xxxlab.cn --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns certonly

The application process interaction is as follows:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxxlab.cn
dns-01 challenge for xxxlab.cn

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name  (第一次在DNS上配置)
_acme-challenge.xxxlab.cn with the following value:

7rBRoMUcyphsdfdsfsfdfsaa3332rsdfsaOeMv1Tfpk-6phU

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name (第二次在DNS上配置并保留第一次配置)
_acme-challenge.xxxlab.cn with the following value:

FjPeO3aHA2GXXhAiknu4d0sfdsdf23r223uXIff--E4

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxxlab.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxxlab.cn/privkey.pem
   Your cert will expire on 2018-06-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Note that the process requires configuring _acme-challenge.xxxlab.cn twice on DNS with the values ​​shown above.

Test with dig

dig _acme-challenge.xxxlab.cn txt

The result is as follows:

......
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.xxxlab.cn.                IN      TXT

;; ANSWER SECTION:
_acme-challenge.xxxlab.cn. 86400   IN      TXT     "7rBRoMUcyphsdfdsfsfdfsaa3332rsdfsaOeMv1Tfpk-6phU"
_acme-challenge.xxxlab.cn. 86400   IN      TXT     "FjPeO3aHA2GXXhAiknu4d0sfdsdf23r223uXIff--E4"
.........

4. Test and Auto-Renew Certificate

Test Auto-Renewal Certificates

certbot renew --dry-run

If the above test is normal, the following commands can be automatically executed through a timer or other methods

certbot renew

I have not tested this step.

5. Department example

1. nginx

......
server {
    server_name xxxlab.cn;
    listen 443 http2 ssl;
    ssl on;
    ssl_certificate /etc/cert/xxxlab.cn/fullchain.pem;
    ssl_certificate_key /etc/cert/xxxlab.cn/privkey.pem;
    ssl_trusted_certificate  /etc/cert/xxxlab.cn/chain.pem;

    location / {
      proxy_pass http://10.10.10.10:8080;
    }
}
......

2)apache

.....
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/cert/xxxlab.cn/fullchain.pem
SSLCertificateKeyFile /etc/cert/xxxlab.cn/privkey.pem
......

use http authentication

The above is to use dns as the authentication to obtain the wildcard certificate. In the early days, the author used the http authentication method to configure the prompt authentication information under the server. The command is as follows

letsencrypt-auto certonly --email [email protected]  -d login.xxxlab.cn -a manual

Email [email protected] for certificate expiration reminder.

other

1. The host you apply for must be accessible to the Internet, and the DNS must be accessible to the Internet.
2. xxxlab.cn is a test domain name, please change it according to your own domain name.
3. Why use https, refer to link 2 for description.
4. Has this configuration caused other security issues, including the hidden dangers of this open source software? Welcome to discuss and click to discuss

refer to

Request a Let's Encrypt wildcard HTTPS certificate

Let's Encrypt complete guide to adding HTTPS to your website certbot

Source: Request a free https certificate through Let's Encrypt