When it comes to free SSL certificates, I definitely recommend Let’s Encrypt. It’s free to apply for, easy to install, and can be renewed indefinitely. Currently, the main website of wzfou.com uses Let’s Encrypt’s free SSL certificate. Some people worry that they cannot use Let’s Encrypt certificate without a VPS host. In fact, now you can directly apply for Let’s Encrypt online.
Let’s Encrypt’s single domain name SSL certificate has greatly promoted the popularity of SSL certificates around the world, and now the even more exciting news is: after countless delays, Let’s Encrypt Wildcard’s free pan-domain name SSL certificate is finally online! Any individual can apply for free, and the script Acme.sh can be used to achieve one-click issuance, which is very convenient.
acme.sh implements the acme protocol and can generate free certificates from letsencrypt. Main steps: install acme.sh, generate certificate, copy certificate to nginx/apache or other services, update certificate, update acme.sh. Let’s Encrypt Wildcard’s free domain name SSL certificate is still valid for three months and will be automatically renewed by acme.sh.
This article will share the Let’s Encrypt Wildcard free pan-domain SSL certificate one-click application and SSL usage tutorial. For more website building experience and website building resources, you can try:
- Five things to note when making PayPal cash withdrawals - account binding, failure to lock, handling fees and withdrawal time
- Ten CloudFlare Free CDN Acceleration Tips You May Not Know-SSLDDOSCache
- Self-built CDN acceleration-Nginx reverse binding, cache acceleration, automatically update cache and obtain real IP
PS: Updated on April 6, 2018, For more free SSL certificates, please see the special topic I collected and organized: Free SSL certificate collection and summary - add HTTPS secure encrypted access to the website for free.
PS: Updated on March 26, 2018, Let's Encrypt requires a VPS host before you can apply for it. Friends who only have a virtual host can try applying for free SSL online: three online free SSL certificates Application address: AlwaysOnSSL, SSL For Free and FreeSSL.org.
PS: Updated on October 15, 2018, Detailed letsencrypt free SSL certificate installation tutorial, reference: apply for and install letsencrypt free SSL certificate for the website in three simple steps - acme.sh automatically renews.
1. Preparation before applying for Let’s Encrypt pan-domain SSL certificate
Official website:
- HTTPS://lets encrypt.org/
- https://github.com/neil-fat/acme.is
- HTTPS://Am I here.com/VPS-List/
1.1 VPS server
To install the Let's Encrypt Wildcard free pan-domain SSL certificate, you need at least one VPS host. Regarding purchasing a VPS host, you can read my VPS host reviews: Access to CN2 line VPS host providers and computer room summary and VPS host rankings one.
If you don’t mind the hassle of registration + registration, you can choose domestic VPS hosting providers such as Alibaba Cloud VPS, Tencent Cloud VPS, JD Cloud VPS, etc. If you want a fast VPS that does not require registration + registration, you can try the CN2 line or Hong Kong or South Korea computer rooms VPS, such as Alibaba Cloud Hong Kong, CN2 VPS, Kdatacenter, etc.
1.2 Do a good job in DNS resolution
Let’s Encrypt supports DNS Pod, CloudXNS, Amazon Route53, CloudFlare and other DNS resolutions. You need to modify the NS of the domain name first.
2. Let’s Encrypt SSL tool acme.sh
2.1 Install acme.sh
acme.sh implements the acme protocol and can generate free certificates from letsencrypt. Installation is simple, just one command:
curl https://get.acme.sh | sh
Both ordinary users and root users can install and use it. Install acme.sh into your home directory: ~/.acme.sh/, and create a bash alias for your convenience: acme.sh= ~/.acme.sh/acme.sh
At the same time, acme.sh automatically creates a cronjob for you and automatically detects all certificates at 0:00 every day. If it is about to expire and needs to be updated, the certificate will be automatically updated. The installation process will not pollute any existing system functions and files , and all modifications are limited to the installation directory: ~/.acme.sh/.
2.2 Get DNS API
Currently acme.sh needs to use the DNS API to verify the domain name. Here we take DNSPOD as an example. You can find the API by entering the user center.
Click to create a new API.
Finally you can copy the API ID and Key.
2.3 Issuance of Let’s Encrypt domain name certificate
DNSPod is used as a demonstration here. If you are using other DNS, please refer to the appendix under this article. The commands of different DNS are different. Execute the following commands to save the API Key and ID of DNSPOD.
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"
This DP_Id and DP_Key are saved in ~/.acme.sh/account.conf. Execute the following command to issue a Let’s Encrypt domain name certificate:
acme.sh --issue --dns dns_dp -d wzfou.com -d *.wzfou.com
#默认签发的是RSA,如果你想签发ECC证书,请使用以下命令
acme.sh --issue --dns dns_dp -d wzfou.com -d *.wzfou.com --keylength ec-256
#可选长度有:
ec-256 (prime256v1, “ECDSA P-256”)
ec-384 (secp384r1, “ECDSA P-384”)
The entire issuance process is very fast. After completion, you can generate the SSL certificate path.
Now open the certificate path. Fullchain.cer is the completed domain name certificate, and wzfou.com.key is the Key. You only need to download these two files to enable the Let’s Encrypt SSL certificate.
3. Let’s Encrypt SSL certificate installation
In fact, all currently popular VPS host panels already support custom SSL certificates or one-click application and installation of Let’s Encrypt SSL certificates, such as BT.cn Pagoda Panel, OneinStack, LNMP, WDCP, AppNode Panel, etc. For more installation methods, please refer to: Server Control Panel List.
4. Appendix: Obtaining and issuing SSL by major DNS APIs
illustrate:
- Appendix reference from: https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
- DNS resolution service summary: https://wzfou.com/mianfei-dns/
- When issuing a pan-domain SSL, please change the command part:
-d www.example.comto:-d *.example.com
4.1 CloudFlare DNS API
First you need to login to your CloudFlare account to get your API key.
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="xxxx@sss.com"
Ok, let’s issue a cert now:
acme.sh --issue --dns dns_cf -d example.com -d www.example.com
The CF_Key and CF_Email will be saved in ~/.acme.sh/account.conf and will be reused when needed.
First you need to login to your DNSPod account to get your API Key and ID.
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"
Ok, let’s issue a cert now:
acme.sh --issue --dns dns_dp -d example.com -d www.example.com
The DP_Id and DP_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.
4.3 CloudXNS DNS API
First you need to login to your CloudXNS account to get your API Key and Secret.
export CX_Key="1234"
export CX_Secret="sADDsdasdgdsf"
Ok, let’s issue a cert now:
acme.sh --issue --dns dns_cx -d example.com -d www.example.com
The CX_Key and CX_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
4.4 Alibaba Cloud Aliyun DNS API
First you need to login to your Alibaba Cloud Aliyun account to get your API key. https://ak-console.aliyun.com/#/accesskey
export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"
Ok, let’s issue a cert now:
acme.sh --issue --dns dns_ali -d example.com -d www.example.com
The Ali_Key and Ali_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
4.5 GoDaddy DNS API
First you need to login to your GoDaddy account to get your API Key and Secret. https://developer.godaddy.com/keys/
Please create a Production key, instead of a Test key.
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd"
Ok, let’s issue a cert now:
acme.sh --issue --dns dns_gd -d example.com -d www.example.com
The GD_Key and GD_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
4.6 PowerDNS DNS API
First you need to login to your PowerDNS account to enable the API and set your API-Token in the configuration. https://doc.powerdns.com/md/httpapi/README/
export PDNS_Url="http://ns.example.com:8081"
export PDNS_ServerId="localhost"
export PDNS_Token="0123456789ABCDEF"
export PDNS_Ttl=60
Ok, let’s issue a cert now:
acme.sh --issue --dns dns_pdns -d example.com -d www.example.com
The PDNS_Url, PDNS_ServerId, PDNS_Token and PDNS_Ttl will be saved in ~/.acme.sh/account.conf and will be reused when needed.
4.7 Amazon Route53 DNS API
See the method: https://github.com/Neilpang/acme.sh/wiki/How-to-use-Amazon-Route53-API
export AWS_ACCESS_KEY_ID=XXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX
To issue a cert:
acme.sh --issue --dns dns_aws -d example.com -d www.example.com
The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.
4.8 Linode DNS API
First you need to login to your Linode account to get your API Key. https://manager.linode.com/profile/api
Then add an API key with label ACME and copy the new key.
export LINODE_API_KEY="..."
Due to the reload time of any changes in the DNS records, we have to use the dnssleep option to wait at least 15 minutes for the changes to take effect.
Ok, let’s issue a cert now:
acme.sh --issue --dns dns_linode --dnssleep 900 -d example.com -d www.example.com
The LINODE_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.
4.9 DigitalOcean DNS API (native)
You need to obtain a read and write capable API key from your DigitalOcean account. See: https://www.digitalocean.com/help/api/
export DO_API_KEY="75310dc4ca779ac39a19f6355db573b49ce92ae126553ebd61ac3a3ae34834cc"
Ok, let’s issue a cert now:
acme.sh --issue --dns dns_dgon -d example.com -d www.example.com
You’ll need to generate an API key at https://www.namesilo.com/account_api.php Optionally you may restrict the access to an IP range there.
export Namesilo_Key="xxxxxxxxxxxxxxxxxxxxxxxx"
And now you can issue certs with:
acme.sh --issue --dns dns_namesilo --dnssleep 900 -d example.com -d www.example.com
If your API is not supported yet, you can write your own DNS API.
Let’s assume you want to name it ‘myapi’:
- Create a bash script named
~/.acme.sh/dns_myapi.sh, - In the script you must have a function named
dns_myapi_add()which will be called by acme.sh to add the DNS records. - Then you can use your API to issue cert like this:
acme.sh --issue --dns dns_myapi -d example.com -d www.example.com
5. Summary
Let's Encrypt Wildcard free domain name SSL certificate application and installation is relatively simple. Currently we can apply for Let's Encrypt domain name SSL through scripts. I believe that soon all major VPS host control panels will have one-click application and installation for pan-domain SSL certificates. .
Let's Encrypt Wildcard's free pan-domain SSL certificate requires DNS verification. The appendix has listed the major DNS domain name resolution APIs and the commands for issuing SSL certificates. You can refer to them. If you are issuing a pan-domain SSL, please replace www Just enter the * number.