使用Let's Encrypt客户端免费申请SSL证书

Mozilla、思科、Akamai、IdenTrust、EFF 和密歇根大学研究人员联合宣布了 Let's Encrypt CA 项 目，计划为网站提供免费的基本 SSL 证书，以加速互联网从 HTTP 向 HTTPS 过渡。Let's Encrypt CA 将由非赢利组织 Internet Security Research Group (ISRG) 运营，今天12月4日凌晨项目正式进入公测阶段，遂赶紧进行申请试用一下。

之前我申请证书都是用BS方式，这次是CS方式，感觉挺新鲜。

我的服务器环境 centos6.6

1. 要安装python2.7，2.6在申请时会报错
   

下载地址 https://www.python.org/downloads/release/python-2710/

wget tar zxf Python-2.7.10.tgzcd Python-2.7.10./configuremake && make install#把系统python命令指到新版本which python/usr/local/bin/pythonrm /usr/local/bin/pythonln -s /usr/local/bin/python2.7 /usr/local/bin/python

2.下载letsencrypt客户端

yum install -y gitgit clone https://github.com/letsencrypt/letsencrypt.gitcd letsencrypt./letsencrypt-auto --helpUpdating letsencrypt and virtual environment dependencies.......Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  Bydefault, it will attempt to use a webserver both for obtaining and installingthe cert. Major SUBCOMMANDS are:  (default) run        Obtain & install a cert in your current webserver  certonly             Obtain cert, but do not install it (aka "auth")  install              Install a previously obtained cert in a server  revoke               Revoke a previously obtained certificate  rollback             Rollback server configuration changes made during install  config_changes       Show changes made to server config during installation  plugins              Display information about installed pluginsChoice of server plugins for obtaining and installing cert:  --apache          Use the Apache plugin for authentication & installation  --standalone      Run a standalone webserver for authentication  (nginx support is experimental, buggy, and not installed by default)  --webroot         Place files in a server's webroot folder for authenticationOR use different plugins to obtain (authenticate) the cert and then install it:  --authenticator standalone --installer apacheMore detailed help:  -h, --help [topic]    print this message, or detailed help on a topic;                        the available topics are:   all, automation, paths, security, testing, or any of the subcommands or   plugins (certonly, install, nginx, apache, standalone, webroot, etc)

3.客户端可以为你提供申请+全自动安装apache/nginx等一条龙服务，这里我选择DIY，只申请，不用麻烦客户端了，执行以下命令

./letsencrypt-auto certonly --manual

输入你的域名

提示是否同意他们记录你这次请求的ip地址，同意

这一步是验证域名所有权，很关键

这一步的意思是，客户端将访问http://www.example.com/.well-known/acme-challenge/xiDWA8FkdWeTua7MIXBpQ3PeLt8jVu5Eimi4-jPsTHs 看看输出是不是 xiDWA8FkdWeTua7MIXBpQ3PeLt8jVu5Eimi4-jPsTHs.MOcybE5RrQ_NsGgFybrHkVcTSohWn2z0JDfTtQkHKQE

我是提前装了nginx服务器，那么只需要在我的网站根目录下创建目录和对应内容的文件，在公网能访问得到就可以了。

cd /wwwroot/mkdir -p ./.well-known/acme-challenge/echo xiDWA8FkdWeTua7MIXBpQ3PeLt8jVu5Eimi4-jPsTHs.MOcybE5RrQ_NsGgFybrHkVcTSohWn2z0JDfTtQkHKQE>./.well-known/acme-challenge/xiDWA8FkdWeTua7MIXBpQ3PeLt8jVu5Eimi4-jPsTHs试试获取一下输出正常了没curl  若正常，按回车。（如果还没装web服务器的话可以按照提示执行#run only once per server下面的命令）

4.证书获取成功

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will   expire on 2016-03-03. To obtain a new version of the certificate in   the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le

后面再发一篇博文讲述如何使用这个证书。