How to Apply for a Free Let's Encrypt SSL Certificate on CentOS
Let's Encrypt is a Certificate Authority launched in late 2015 that provides free SSL/TLS certificates for secure websites through an automated process designed to eliminate the complexity of manually creating and installing certificates. Let's Encrypt is open-source and free for anyone to use, helping you transition your website to HTTPS for enhanced security.
1. Install Required Dependencies (Optional)
This step can be skipped because Let's Encrypt automatically detects the environment and installs dependencies when generating the certificate. If the automatic detection fails, you can manually install the required dependencies using the following commands:
yum install centos-release-SCL && yum update
yum install python27
scl enable python27 bash
yum install python27-python-devel python27-python-setuptools python27-python-tools python27-python-virtualenv
yum install augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse
2. Generate the Certificate
Execute the following commands, modifying the email address and website address according to your actual situation. The -d parameter can accept multiple domain names. Note that generating the certificate will occupy ports 80 and 443, so you must stop your web service first. If you are using the LNMP stack or oneinstack, simply run service nginx stop.
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone --email admin@xiaoz.me -d xiaoz.me -d www.xiaoz.me
3. Obtain the Certificate
If you are using a VPS located in China, the process may not succeed on the first try. There are also reports suggesting issues related to domestic DNS. If it fails, check the error messages or re-run the script. If successful, four files will be generated:
cert.pem - Apache server certificate chain.pem - Apache root and intermediate certificates fullchain.pem - SSL certificate file required by Nginx privkey.pem - Secure certificate KEY file
4. Configure the Certificate
If you are using an Nginx server, you will need two files: fullchain.pem and privkey.pem. Refer to the tutorial How to Deploy SSL Certificates in Nginx for deployment instructions.
5. Additional Notes
Let's Encrypt certificates are valid for 3 months, so you must renew them before expiration. Use the following command to update the certificate:
./letsencrypt-auto certonly --renew-by-default --email admin@xiaoz.me -d xiaoz.me -d www.xiaoz.me
Other free SSL certificates include Wotone Free SSL and StartSSL. Currently, the Xiaoz blog uses StartSSL free certificates, but may consider switching to Let's Encrypt in the future.
