在 Ubuntu16.04 系统为 Apache 服务器安装 Let’s Encrypt 证书

By using Let’s Encrypt for SSL, you will be able to encrypt transactions/data your site free of charge. The following tutorial will cover the entire process of installing the Let’s Encrypt client to installing your SSL certificate on Ubuntu 16.04.

By the end of this Ubuntu guide you will be able to create Let’s Encrypt SSL certificates and set them up on your Apache web server.

Step 1: Prerequisites

Let’s Encrypt works with a client. You can create SSL certificates from your server, without manual intervention. Installation of the Let’s Encrypt client software requires a LAMP stack. If you do not have one yet, please refer to the tutorial How to Install Apache, MySQL, and PHP on Ubuntu.

Once you have a working Apache web server on your Vultr SSD cloud server, it’s time to install Let’s Encrypt. Download the client to /opt/letsencrypt:

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Step 2: Generating a Let’s Encrypt SSL certificate

Let’s Encrypt works by verifying your domain through the client. Let’s Encrypt will setup a ‘hidden’ web server to verify your domain points to your cloud server. Your SSL certificate will automatically be generated using the command:

./letsencrypt-auto --apache -d yourubuntuserver.example

Creating an SSL certificate for multiple domains is even easier: just add the -d switch as many times as you like.

./letsencrypt-auto --apache -d yourubuntuserver.example -d mysslcertificate.example
./letsencrypt-auto --apache -d yourubuntuserver.example -d mysslcertificate.example -d anotherwebsite.example

You can also generate a Let’s Encrypt SSL certificate for your www. subdomains as follows:

./letsencrypt-auto --apache -d yourubuntuserver.example -d mysslcertificate.example -d anotherwebsite.example -d www.yourubuntuserver.example -d www.mysslcertificate.example -d www.anotherwebsite.example

Step 3: Forcing SSL

Once you have generated your SSL certificate(s), you will be able to force your websites to redirect to the SSL-protected version of your website. Add the following lines to the .htaccess files of your websites:

RewriteEngine On 
RewriteCond % 80 
RewriteRule ^(.*)$ https://yourubuntuserver.example/$1 [R,L]

If you’d rather redirect to the www. subdomain with Let’s Encrypt:

RewriteEngine On 
RewriteCond % 80 
RewriteRule ^(.*)$ https://www.yourubuntuserver.example/$1 [R,L]

Step 4: Automatically renewing Let’s Encrypt certificates

Let’s Encrypt is a free certificate authority (CA). Because of this, certificates are not valid for longer than 90 days by default. Naturally, if you manage a lot of Let’s Encrypt SSL certificates, it’s very unhandy to renew these manually. Let’s Encrypt provides a utility to automatically attempt to renew all certificates at a time you choose. Vultr recommends doing this at night, as this will not put heavy load on your cloud server.

The automation of this process is done using a cron job.

crontab -e

Append the following cronjob to the bottom of the file:

15 5 * * 5 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

The cron job we have just created will renew an SSL certificate every Friday at 5:15 A.M. by running the following script: /opt/letsencrypt/letsencrypt-auto renew.

Congratulations! Ubuntu 16.04 is now utilizing SSL certificates using Let’s Encrypt completely free of charge. Certificates will be renewed by themselves. If you want to use more SSL certificates on a single Vultr cloud server, simply follow step #2 for every domain you want to protect with SSL.

Thanks for reading this Let’s Encrypt guide, should you have any questions please do not hesitate to refer to the official Getting Started guide.