Tried Let’s Encrypt for free HTTPS certification. It seems good and quite convinence.
Following the instruction of offical site, we use Certbot to deploy it.
As example, for Apache and Debian 7:
Install
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto
Config
./certbot-auto --apache
It would provide UI.
Automating Renewal
First try this
./certbot-auto renew --dry-run
If no error, set this to cronjob twice a day
./certbot-auto renew --quiet --no-self-upgrade
For Nginx Server
If you run it with Nginx, you might need to reload or restart Nginx to make the renew available.
PS on renew
If you have made Rewrite Rule for Auto-HTTP-to-HTTPS-Redirection, you would face some trouble when renew them if the CertAgent cannot get correct response from the target Domain. For example, you removed the certificate files or SSL configuration from your server, kept using a certificate out of date, lost DNS record, etc. The failure would come with IMPORTANT NOTES like following.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: meinblog.ga
Type: unknownHost
Detail: No valid IP addresses found for meinblog.ga
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: sinri.cc
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested ******HIDDEN******
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
It is easy to fix after you know the reason -- just keep the target domain alive. Turn off redirection for SSL and leave HTTP only is the suggestion.