Let’s encrypt – use free SSL / TLS certificates


Free SSL certificates are provided by domestic cloud service providers such as Alibaba and Tencent, but their certificates are only free for one year, and do not support free wildcard certificates. The charged certificates are at least 1K / year, which is certainly unbearable for individual users. Fortunately, we still have themLet’s Encrypt。 adoptLet's EncryptAlthough the validity period of the applied certificate is only 90 days, we can automatically renew it through the tool, and it supports free wildcard certificates, that is, we only need to apply for one certificate and it can be applied to multiple web applications.

  Let's EncryptIt was launched in the third quarter of 2015Digital certificate authorityIt aims to eliminate the complex process of manually creating and installing certificates with an automated process and promotewebThe encrypted connection of the server is ubiquitous, providing free access to secure websitesTransport layer security protocol(TLS) certificate.Let's EncryptWith the support of many companies and institutions such as Mozilla, Cisco, Akamai, Electronic Frontier Foundation and chrome, it has developed rapidly.

There are many online users based onLet's EncryptScript to create certificate articles, but most of them have a certain history. This article is configured step by step according to the steps of the official website. It can be said that it is the latest in the whole network.Let's encrypt - use free SSL / TLS certificates

Deployment environment

  • DNS provider: alicloud
  • Server: CentOS Linux release 8.4.2105
  • Certificate type: DV SSL certificate, wildcard certificate

For knowledge of certificate types, refer to:cloud.tencent.com/developer/articl…

Install snap

  snapJust like the application market on your mobile phone, you can easily install and manage applications on the system for Linux. We’ll use it latersnapTo installcertbot

add toEPELlibrary

$ sudo dnf install epel-release
$ sudo dnf upgrade


yum install snapd

Enable SYSTEMd unit to manage snap communication sockets

$ sudo systemctl enable --now snapd.socket

Enable classic snap support

$ sudo ln -s /var/lib/snapd/snap /snap

Install certbot

Certbot is a free and open source tool that can help us apply and updateLet's EncryptCertificate for.   

takesnapdUpdate to the latest version

$ sudo snap install core; sudo snap refresh core

Remove the old certbot / certbot auto installation package

$ sudo dnf remove certbot


$ sudo snap install --classic certbot


$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Verify that the plug-in installed will have the same classic inclusion as certbot snap. I really don’t know what it meansLet's encrypt - use free SSL / TLS certificates)

$ sudo snap set certbot trust-plugin-with-root=ok

Generate certificate

Enter the following command to generate*.xxx.comCertificate for this pan domain name:

$ certbot certonly -d "*.xxx.com" --manual --preferred-challenges dns-01

Parameter interpretation:

  • certonly
    Obtain or update a certificate, but do not install it.

  • -d "*.xxx.com"
    The domain name you want to obtain the certificate. Multiple domain names are separated by commas.*Indicates that this is a wildcard domain name. Note that the wildcard domain name certificate can only protect one domain name and all the next level domain names of the domain name. If you want to protecta.b.xxx.comSuch a secondary domain name needs to apply for another one*.b.xxx.comWildcard domain name certificate.

  • --manual
    Obtain the certificate interactively or using the shell script hook

  • --preferred-challenges dns-01
    tellcertbotWhat method is used to verify that the domain name belongs to you? Wildcard domain names can only be useddns-01That is, add a specific TXT domain name resolution record to your DNS provider.

For more command parameters, refer to:

Click enter to enter the interactive mode. Here you need to enter the email and confirm the agreement. The general flow is shown in the following figure (picture)source):
Let's encrypt - use free SSL / TLS certificates

In the last step of generating the certificate, the command line will prompt you to add a DNS TXT record. At this time, do not press enter, and add a TXT resolution record for your domain name in your DNS provider, such as Alibaba cloud:

Let's encrypt - use free SSL / TLS certificates

After the addition is completed, wait for about 10 seconds and it will generally take effect. At this time, return to the command line interface and press enter to check whether the certificate is successfully generated.certbotGenerally, certificates are generated in/etc/letsencrypt/live/xxx.com/Under such a directory.

Update certificate

After obtaining the certificate successfully, you can use the following command to try to update the certificate:

$ sudo certbot renew --dry-run

  --dry-runIt means that you only run the command and do not really execute the update operation. If there is no accident, you will see the following error message:

Let's encrypt - use free SSL / TLS certificates

Don’t panic. This is a normal phenomenon. Recall the steps of generating the certificate. In the final verification, we need to add one in the DNS providercertbotThe specified TXT record, butcertbotWe don’t know the account information of our DNS provider. Naturally, it’s impossible to add it for us automatically. There is a key message in the error message:

The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’)

It reminds us that in non interactive mode, we can use--manual-auth-hookThis option specifies a tick script, in which the operation of adding TXT records is completed. Generally, DNS providers have APIs for us. We can write our own script to call the API to add TXT records, or we can use this on GitHubWarehouse

Briefly summarize the steps to update certificates using this repository

  • Clone code

    $ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
  • Configure root domain name
    Checkdomain.iniIs there your root domain name in it? If not, you need to add it yourself.

  • Configure DNS API keys
    Go to your DNS provider to get the key and key required to call the API, and fill inauth.shIn the file

  • Run again

    $certbot renew -- manual auth hook "script directory / au.sh Python aly add" -- manual cleanup hook "script directory / au.sh Python aly clean" -- dry run

      --manual-cleanup-hookThis option specifies the script to clean up data. Here, the script is used to clear TXT records used for verification. Note that this is added--dry-runOption, which means that you only test whether the update process is correct, not really update the certificate.

  • Update certificate regularly
    After successfully updating the certificate using the script, we cancrontabAdd a scheduled task to automatically update the certificate, so that you can do it once and for all without worrying about the invalidation of the certificate. editcrontab, add the following tasks:

    #The certificate is valid for less than 30 days before renewal, so crontab can be configured as 1 day or 1 week
    1 1 * / 1 * * certbot renew -- manual auth hook "script directory / au.sh Python aly add" -- manual cleanup hook "script directory / au.sh Python aly clean"

This work adoptsCC agreement, reprint must indicate the author and the link to this article