How to apply for Let's Encrypt? Let's Encrypt SSL Free Certificate Principle & Installation Tutorial

How to apply for Let's Encrypt?

Let's Encrypt SSL Certificate Principle & Installation Tutorial

What is SSL?Chen WeiliangIn the previous article "What is the difference between http vs https? Detailed explanation of SSL encryption process"It is mentioned in.

Apart from E-commerceThe website must purchase an advanced encrypted SSL certificate and use the website as WeChatPublic account promotionOfnew mediaPeople, if you want to install an SSL certificate, you can actually install an encrypted SSL certificate for free.SEOHelpful, can improve the ranking of website keywords in search engines.

Let's Encrypt itself has written a set of processes (https://certbot.eff.org/),useLinuxfriends, you can follow this tutorial while referring to the process.

Download the certbot-auto tool first, then run the tool's installation dependencies.

wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

Generate SSL certificate

Next, withChen WeiliangTake the blog domain name as an example, please modify it according to your own needs. SSH runs the following commands.

Be sure to modify the command in:

1. mailbox
2. server path
3. website domain name

Single domain single directory, generate a certificate:

./certbot-auto certonly --email youemail@qq.com --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com

Multi-domain single directory, generate a certificate: (ie, multiple domain names, single directory, use the same certificate)

./certbot-auto certonly --email youemail@qq.com --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com

The generated SSL certificate will be saved in:/etc/letsencrypt/live/www.chenweiliang.com/ Under contents.

Multiple domain names and multiple directories, generate a certificate: (that is, multiple domain names, multiple directories, use the same certificate)

./certbot-auto certonly --email youemail@qq.com --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org

After the Let's Encrypt certificate is installed successfully, the following prompt message will appear in SSH:

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
Your cert will expire on 2018-02-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

SSL Certificate Renewal

Certificate renewal is also very convenient, usingcrontabAuto-renew.Some Debian does not have crontab installed, you can install it manually first.

apt-get install cron

The following commands are in nginx and apache respectively / etc / crontab The command entered in the file means that it is renewed every 10 days, and a 90-day validity period is sufficient.

Nginx crontab file, please add:

0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"

Apache crontab file, please add:

0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"

SSL certificate Apache configuration

Now, we need to make changes to the Apache configuration.

Tips:

• if you useCWP Control Panel, in the Add domain name check Automatically generate an SSL certificate, it will automatically configure the SSL certificate for Apache.
• If you do more of the following steps, an error may occur after restarting Apache.
• If there is an error, delete the configuration you added manually.

Edit the httpd.conf file ▼

/usr/local/apache/conf/httpd.conf

Find ▼

Listen 443

• (remove the preceding comment number #)

or add listening port 443 ▼

Listen 443

SSH check Apache listening port ▼

grep ^Listen /usr/local/apache/conf/httpd.conf

Find ▼

mod_ssl

• (remove the preceding comment number #)

or add ▼

LoadModule ssl_module modules/mod_ssl.so

Find ▼

httpd-ssl

• (remove the preceding comment number #)

Then, SSH execute the following command (note to change the path to your own):

at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/usr/local/apache/logs/ssl_mutex"
EOF

Next, at the end of the Apache configuration for the website you createdbelow.

Add the configuration file of the SSL section (note to remove the comment, and change the path to your own):

<VirtualHost *:443>
DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录
ServerName www.chenweiliang.com:443 //域名
ServerAdmin youremail@qq.com //邮箱
ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志
CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书
SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥
<Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
suPHP_UserGroup eloha eloha //用户组（有些服务器配置需要，有些可能不需要，出错请删除此行）
Order allow,deny
Allow from all
DirectoryIndex index.html index.phps
</Directory>
</VirtualHost>

Finally restart Apache on it:

service httpd restart

Apache force HTTP redirect to HTTPS

• Many web requests can always only run with SSL.
• We need to make sure that every time we use SSL, the website must be accessed via SSL.
• If any user tries to access the website with a non-SSL URL, he must be redirected to the SSL website.
• Redirect to SSL URL using Apache mod_rewrite module.
• If you use LAMP one-click installation package, built-in automatic installation of SSL certificate and forced redirection to HTTPS, redirection to HTTPSIn force, you don't need to add an HTTPS redirect.

Add redirect rule

• In Apache's configuration file, edit the website's virtual host and add the following settings.
• You can also add the same settings to the document root on your website in your .htaccess file.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If you just want to specify a certain URL to redirect to HTTPS:

RewriteEngine On
RewriteRule ^message$ https://www.etufo.org/message [R=301,L]

• If someone tries to access message , the page will jump to https, and the user can only access the URL with SSL.

Restart Apache for the .htaccess file to take effect:

service httpd restart

Attention points

• Please change the above email address to your email address.
• Please remember to change the above website domain name to your website domain name.

Redirect rule location problem

Under pseudo-static rules, when placing redirect jump rules, you will usually encounter http cannot redirect to https The problem.

Initially we copied the redirect code into .htaccess and it will appear in the following cases ▼

• [L] indicates that the current rule is the last rule, stop analyzing the following rewrite rules.
• So when accessing the redirected article page, [L] stops the following rule, so the redirection rule doesn't work.

When visiting the http homepage, we want to trigger a URL redirection, skip the pseudo-static rule to execute the redirection jump rule, so that it can be achievedSite-wide http redirect to https .

Don't put https redirect rules in [L] Below the rules, put [L] above the rules ▼

Extended reading:

• What is the difference between http vs https? Detailed explanation of SSL encryption process
• What should I do if I get an error 500 after installing the Let's Encrypt SSL certificate in the CWP control panel?
• Automatically jump to the second-level domain name without the www top-level domain name: the root domain name 301 redirects www