Let's Encrypt is a certificate authority launched at the end of 2015 that provides free SSL/TLS certificates for secure websites through an automated process aimed at eliminating the complex manual creation and installation of certificates. Let's Encrypt is open source and free for anyone to apply, allowing you to transition your website to HTTPS and make it more secure.

一、Install the required dependencies (not necessary)

This step can actually be skipped because when using Let's Encrypt to generate certificates, the environment will be automatically detected and installed. If the automatic detection fails, you can try manually installing the required dependencies using the following command:

yum install centos-release-SCL && yum update
yum install python27
scl enable python27 bash
yum install python27-python-devel python27-python-setuptools python27-python-tools python27-python-virtualenv
yum install augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse

二、Generate the certificate

Execute the following commands separately, and modify them with your own email address and website address as needed. The -d parameter can be followed by multiple domain names. It is important to note that generating the certificate will occupy ports 80 and 443, so you need to stop your web service first. If you are using LNMP or oneinstack, you can simply enter the command service nginx stop.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone --email [email protected] -d xiaoz.me -d www.xiaoz.me

三、Obtain the certificate

If you are using a VPS in China, it may not be successful at once and you may need to try multiple times. Additionally, there are reports that it may be related to the DNS in China, so if it fails, pay attention to the error message and try running the script again. If successful, four files will be generated as follows:

cert.pem - Apache server certificate
chain.pem - Apache root certificate and intermediate certificate
fullchain.pem - Nginx ssl_certificate file
privkey.pem - Secure certificate KEY file

四、Configure the certificate

If you are using an Nginx server, you will need two files: fullchain.pem and privkey.pem. Refer to the tutorial How to Deploy SSL Certificates on Nginx for deployment instructions.

五、Other notes

Let's Encrypt certificates are valid for 3 months, so you need to renew them before they expire. Use the following command to update the certificate. There are also other free SSL certificates available, such as WoSign Free SSL and StartSSL. Currently, XiaoZ's blog uses StartSSL Free Certificate, but may consider switching to Let's Encrypt in the future.

./letsencrypt-auto certonly --renew-by-default --email [email protected] -d xiaoz.me -d www.xiaoz.me