Don't talk about it, let's go straight
Let's Encrypt official website
1. First we should have a domain name and have our own server
Assuming that the domain name we registered in Alibaba Cloud is example.com, log in to the Alibaba Cloud DNS console
Our server is ubuntu
Then we can proceed to the second step
2. Certificate signing
This step begins to apply for a certificate.
Because Let's Encrypt supports wildcard certificates (*.example.com), so here we use Certbot's ACME method to apply for wildcard certificates.
Of course, Let's Encrypt supports multi-domain signatures, so we can sign *.example.com and example.com together.
Let's Encrypt supports 3 domain name authentication methods, 2 of which are commonly used are listed below: 1. Configure DNS records under example.com 2. Place an Http resource under the known URI of http://example.com/ but sign a wildcard Domain name (*.example.com) only supports DNS record authentication
Flow chart of Web URI resource authentication domain name:
(DNS authentication is similar, except that WebServer Admin Software is replaced by DNS Server, and the configuration item is replaced by DNS Record)
Web URI Resource Authentication Domain Name Flowchart
Signing steps:
a. First download certbot-auto and Python (CertBot depends on Python 2.7 or 3.5 or above)
Installation documentation: https://certbot.eff.org/docs/install.html
$ wget https://dl.eff.org/certbot-auto$ chmod +x certbot-auto
b. Execute certbot-auto
(Execution here requires root privileges)
./certbot-auto certonly --no-bootstrap --email [email protected] -d *.example.com -d example.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directoryAmong them: --preferred-challenges: domain name ownership verification type, the value is http, dns or tls-sni, here we use dns --email: mailbox for registration -d: domain name for signature, multiple configurations are possible- Item d, or separate multiple domain names by "," (comma) --manual: Indicates manual installation of plug-ins --server: ACME V2 version agreement directory, in order to implement wildcard certificates, Let's Encrypt has upgraded the implementation of the ACME agreement, Only the v2 protocol supports wildcard certificates.
After execution, as shown in the figure:
certbot-auto signing process
When the Please deploy a DNS TXT record under the name prompt appears, configure the DNS TXT record in the Alibaba Cloud DNS management console as required:
Alibaba Cloud DNS configuration
Alibaba Cloud DNS configuration list
After waiting for 10 minutes, or use the dig command on the server to check whether the domain name resolution is effective, after the resolution is effective, press Enter to proceed to the configuration of the next domain name.
After the two configurations, we can see that the certificate is signed successfully.
3. Enable Https for Nginx configuration
Here we use Nginx to configure the domain name certificate to enable HTTPS. The configuration is as follows:
(Note that the operating authority needs to be root, and example.com is a hypothetical domain name, which needs to be replaced with a real domain name)
Nginx: Https configuration
Then restart the service.
4. After the above steps are completed, the certificate configuration is successful. Let us see the result:
Certificate signed by Let's Encrypt
Note that Let's Encrypt CA issues short-lived certificates (90 days). Make sure to renew the certificate at least once within 3 months. Of course, we can do scheduled task scripts to automatically complete certificate renewal.