Apply for a free Let’s Encrypt ssl certificate for my domain
Let’s Encrypt SSL certificate is free and is widely used nowadays. I’m planning to upgrade my blog from http to https to be more secure and more modernized~
I’ll use acme.sh to manage my certificate and try to deploy it on my nginx server.
Here it goes.
Install acme first. One single line of command is enough.
curl https://get.acme.sh | shIf the installation is successful you should be able to run acme.sh and get the following output from your terminal:
ubuntu@k8s-master:~$ acme.sh
https://github.com/acmesh-official/acme.sh
v2.8.8
Usage: acme.sh <command> ... [parameters ...]
Commands:
-h, --help Show this hel
...In case the terminal says acme.sh cannot be found, try opening another terminal and issue acme.sh command again.
Next step is to create api key/secret on the platform of your domain service provider. E.g, I have my kiwikiwi.fun domain name managed by Ali Cloud, so I have to login Ali Cloud management console to create this key/secret pair. Here’s a list of domain service providers and their corresponding links to create api key/secret pair.
https://github.com/acmesh-official/acme.sh/wiki/dnsapiSearch your domain service provider’s name in that article and you will find the necessary information.
Basically acme needs the key/secret pair to call apis of your domain service provider. Better to use RAM functionality of your service provider so that you can fine-grain authorized apis and be more securely protected.
For Ali Cloud, the following policies of permissions may be necessary and should be given to the RAM sub-user:
AliyunHTTPDNSReadOnlyAccess
System Policy
Provides read-only access to HTTPDNS via Management Console.
AliyunHTTPDNSFullAccess
System Policy
Provides full access to HTTPDNS via Management Console.
AliyunDNSReadOnlyAccess
System Policy
Provides read-only access to DNS Service via Management Console.
AliyunDNSFullAccess
System Policy
Provides full access to DNS Service via Management Console.After your api key/secret is ready, you should set them as shell environment variables. For Ali Cloud, it should look like below:
export Ali_Key=xxxxxxxxxxx
export Ali_Secret=xxxxxxxxxxxxxxxxxxxxxxxFor other domain service providers like CloudFlare, goDaddy and so on, refer to ACME’s dnsapi wiki doc mentioned earlier.
Then time comes for applying your domain’s SSL certificate finally.
acme.sh --issue --dns dns_ali -d api.kiwikiwi.funIf this command returns errors, do not run it again immediately. Add some debug parameters to know the detailed reason causing the failure.
acme.sh --issue --dns dns_ali -d api.kiwikiwi.fun --debug 2I was carelessly running the command for a few times and I was banned not to apply it until 1 hour later.
[Tue Oct 6 16:08:55 CST 2020] response='{
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
}'
[Tue Oct 6 16:08:55 CST 2020] Le_LinkOrder
[Tue Oct 6 16:08:55 CST 2020] Le_OrderFinalize
[Tue Oct 6 16:08:55 CST 2020] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
}Yes, 1 hour later I ran the same command and it worked. The output should be something similar as below:
[Tue Oct 6 18:28:28 CST 2020] Your cert is in /home/ubuntu/.acme.sh/<your domain>/xxxx.kiwikiwi.fun.cer
[Tue Oct 6 18:28:28 CST 2020] Your cert key is in /home/ubuntu/.acme.sh/<your domain>/xxxx.kiwikiwi.fun.key
[Tue Oct 6 18:28:28 CST 2020] v2 chain.
[Tue Oct 6 18:28:28 CST 2020] The intermediate CA cert is in /home/ubuntu/.acme.sh/<your domain>/ca.cer
[Tue Oct 6 18:28:28 CST 2020] And the full chain certs is there: /home/ubuntu/.acme.sh/<your domain>/fullchain.cer
[Tue Oct 6 18:28:28 CST 2020] _on_issue_success
Next step is to deploy the generated cer file and key file and then configure nginx to enable ssl support.
$ cp /home/ubuntu/.acme.sh/<your domain>/xxxx.kiwikiwi.fun.key /usr/loal/nginx/conf/ssl/
$ cp /home/ubuntu/.acme.sh/<your domain>/fullchain.cer /usr/loal/nginx/conf/ssl/
$ mv /usr/loal/nginx/conf/ssl/fullchain.cer /usr/loal/nginx/conf/ssl/xxxx.kiwikiwi.fun.cerAnd I’ll give my sample nginx ssl conf for xxxx.kiwikiwi.fun as below:
server {
listen 443 ssl http2;
ssl_certificate /usr/local/nginx/conf/ssl/xxxx.kiwikiwi.fun.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/xxxx.kiwikiwi.fun.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name xxxx.kiwikiwi.fun;
root /var/www/html;
location / {
proxy_redirect off;
proxy_pass http://127.0.0.1:10080;
proxy_http_version 1.1;
... reverse proxy configuration for your php website...
}
}
This xxxx.kiwikiwi.fun.conf file may be created under your nginx’s vhost directory.
Let’s Encrypt certificate will expire in 90 days so a way to refresh the certificate is create a cron job:
0 5 3 * * echo `date -R` >> /var/log/lets.crontab.log; certbot renew --force-renewal >> /var/log/lets.crontab.log 2>&1 ; nginx -s reloadThis works for a single domain as my xxxx.kiwikiwi.fun and actually it uses certbot. I did not install certbot and did not use it actually. So if you’re interested you need to try it out by yourself.
As I’ve installed acme.sh so I will use acme.sh instead. It works as below:
acme.sh --installcert -d xxxx.kiwikiwi.fun --key-file /usr/local/nginx/conf/ssl/xxxx.kiwikiwi.fun.key --fullchain-file /usr/local/nginx/conf/ssl/xxxx.kiwikiwi.fun.cer --reloadcmd "sudo systemctl restart nginx" Sometimes if your acme.sh or nginx is not correctly configured, you may meet with file permission problems. According to acme.sh’s wiki doc, you may use –force option to override the permission problem. But a better way is to change directory/file permissions accordingly.
And if you don’t want to change the permissions, you have to install amce.sh under root user. That will solve your permission problem.
As simple as that.