Let's Encrypt is a non-profit certificate authority that provides free X.509 certificates for TLS encryption through an automated process designed to replace the current complex process of manually creating, verifying, signing, installing and updating certificates for secure websites. Let's Encrypt recently introduced a Wildcard certificate for your domain, now you can use ssl without wildcards for your domain and for multiple subdomains with just one SSL certificate.
This guide will work with Linux distributions such as CentOS, Ubuntu, Debian.
Installation is done using CentOS as an example, to install git on Ubuntu, Debian, you will need to use package managers apt-get, instead of yum.
- Install the acme.sh script:
``.shell
cd /root
yum -y install socat git
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install
After installation, a cron job will be created to automatically renew the certificate.
* Submit a request for issuance:
``.shell
bash acme.sh --issue -d mecmep.site -d *.mecmep.site --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please
You must specify your domain instead of mecmep.site.
- The script will generate 2 TXT records to be added to DNS panel:
``.shell
[Mon Apr 13 14:06:52 MSK 2020] Domain: '_acme-challenge.mecmep.site'
[Mon Apr 13 14:06:52 MSK 2020] TXT value: 'lGcZEqos8Ki_4Yl_MvTC8OF54Ixjkp_SHKLqZ7ba7G8'
...
[Mon Apr 13 14:06:52 MSK 2020] Domain: '_acme-challenge.mecmep.site'
[Mon Apr 13 14:06:52 MSK 2020] TXT value: 'GfIz0ovmKkHmHmwN1BV57Vc2IwZeBXPCY5s2M24VWQN3I'
When adding a record, you should add a period at the end of the record name. For example:
``.shell
TXT record _acme-challenge.mecmep.site.
value : "lGcZEqos8Ki_4Yl_MvTC8OF54Ixjkp_SHKLqZ7ba7G8"
``.shell
TXT record _acme-challenge.mecmep.site.
value : "GfIz0ovmKkHmwN1BV57Vc2IwZeBXPCY5s2M24VWQN3I"
* Checking to see if the DNS records have been updated
``.shell
dig txt +short _acme-challenge.mecmep.site
"GfIz0ovmKkHmwN1BV57Vc2IwZeBXPCY5s2M24VWQN3I"
"lGcZEqos8Ki_4Yl_MvTC8OF54Ixjkp_SHKLqZ7ba7G8"
- After updating the DNS, resume issuing the certificate:
``.shell
bash acme.sh --renew -d mecmep.site -d *.mecmep.site --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please
``.shell
[Mon Apr 13 14:16:47 MSK 2020] Renew: 'mecmep.site'
[Mon Apr 13 14:16:48 MSK 2020] Multi domain='DNS:mecmep.site,DNS:*.mecmep.site'
[Mon Apr 13 14:16:49 MSK 2020] Getting domain auth token for each domain
[Mon Apr 13 14:16:49 MSK 2020] Verifying: mecmep.site
[Mon Apr 13 14:16:53 MSK 2020] Success
[Mon Apr 13 14:16:53 MSK 2020] Verifying: *.mecmep.site
[Mon Apr 13 14:16:57 MSK 2020] Success
[Mon Apr 13 14:16:57 MSK 2020] Verify finished, start to sign.
[Mon Apr 13 14:16:57 MSK 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/83278451/2986784558
[Mon Apr 13 14:16:58 MSK 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04445ffc3799e6e4ab158437a6730fb44031
[Mon Apr 13 14:16:59 MSK 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgISBERf/DeZ5uSrFYQ3pnMPtEAxMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA0MTMxMDE2NThaFw0y
MDA3MTIxMDE2NThaMBYxFDASBgNVBAMTC21lY21lcC5zaXRlMIIBIjANBgqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnF3K+VKC1F1/UBYKdjzzE0QRNa0Du7HzOcuZ
nMOT1TTpsiKIMmwHJMJ9rk1cjn+gWdy+kRxWpFz1giX/tO98GGOU5BvHHEsVW4vN
8JWkWfIA0YYJAEC0vk4iOrUv+HUfjmeHQNKawqKOsnMAAAAFxc0G0qAABAMASDBG
AiEAslEjKLDqUWZ6kX/QDAkFsZ6zbS/qg2zh3QT6duingACIQDY8LijAUZ+Yvfz
olc1F1Y08u3mhbKv1ykI4wMJ5X3dxAB1ALIeBcyLos2KIE6HZvkruYolIGdr2vpw
57JJUy3vi5BeAAABcXNBtpYAAAQDAEYwRAIgJEGmMpNk7pRcLcLwhcmGWIlkJODATc
LDKll/pQ7URhMikCIBo2BVWheYL2XgAuHKNgPic4j5gAmVqBWF9riNKGyH1MA0G
CSqGSIb3DQEBCBCwUAA4IBAQAUwvSV8tNLzrO1/ghDU26y5CNszRouyv8RpMOq1zmO
h6p9UzZlmWULtBQiObTcZAqb3CVsm6F3fU9CbX80uB3yAE1vqjMCkcadIuyAGL+R
EfBG2fQ8WGTRfTylljqz0ctfet/2kWQvWjAtS8P+DeZVbcbO6ubKtHw8SF1bw/v9
s3D13jnxnNJn979+bTQUtVZ8eCcctJfJNHKoe54gC5lF2UlHJTy2SXHtQlG5kw9i
7z/Ag01qItgUBqdKeBZc+tLwfZhXlR46sHn3PTMlPwzuDiEu8TFQKcx6zewzOz1U
tIs5N7XCrdnZsJy0FLG6wJSyszDTldeCLwdWgxPOAEcn
-----END CERTIFICATE-----
[Mon Apr 13 14:16:59 MSK 2020] Your cert is in /root/.acme.sh/mecmep.site/mecmep.site.cer
[Mon Apr 13 14:16:59 MSK 2020] Your cert key is in /root/.acme.sh/mecmep.site/mecmep.site.key
[Mon Apr 13 14:16:59 MSK 2020] The intermediate CA cert is in /root/.acme.sh/mecmep.site/ca.cer
[Mon Apr 13 14:16:59 MSK 2020] And the full chain certs is there: /root/.acme.sh/mecmep.site/fullchain.cer
This will give you the certificates, key and chain to add to the apache and nginx configuration files by removing the existing ones:
Apache:
/home/admin/conf/web/mecmep.site.apache2.ssl.conf, where mecmep.site is the domain name
``.shell
SSLCertificateFile /root/.acme.sh/mecmep.site/mecmep.site.cer
SSLCertificateKeyFile /root/.acme.sh/mecmep.site/mecmep.site.key
SSLCertificateChainFile /root/.acme.sh/mecmep.site/fullchain.cer
**Nginx:**
/home/admin/conf/web/mecmep.site.nginx.ssl.conf, where mecmep.site domain name
``.shell
ssl_certificate /root/.acme.sh/mecmep.site/fullchain.cer;
ssl_certificate_key /root/.acme.sh/mecmep.site/mecmep.site.key;
- Restart apache and nginx:
``.shell
systemctl restart apache2
systemctl restart nginx
To update the certificates you need to run this command after 90 days, update the TXT dns record as below:
``.shell
acme.sh --issue -d mecmep.site -d *.mecmep.site --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please
Where mecmep.site is the name of your domain.
Automatically update let's encrypt certs with a Cron job, add this daily cron to check auto-update:
``.shell
0 0 * * * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
```
You can check if the certificate is installed correctly using this [service] (https://www.sslshopper.com/ssl-checker.html).
If you have any configuration difficulties or have additional questions, you can always contact our support team via ticket system.