前言
本文转自全球主机论坛,网友skywing所发
发此文的主要缘由为保存技术教程档案为以后备用
源码地址
https://github.com/diafygi/acme-tiny
安装步骤
1、此脚本需要python和openssl支持,LINUX一般都自带,没有请自行安装 开始之前创建一个文件夹存放文件
mkdir ~/letsencrypt
cd ~/letsencrypt
2、创建一个 Let’s Encrypt账户私钥,以便让其识别你的身份
openssl genrsa 4096 > account.key
如已用官方工具生成私钥,需要将其转换为acme-tiny支持的PEM格式
# 下载转换脚本 wget -O - "https://gist.githubusercontent.com/JonLundy/f25c99ee0770e19dc595/raw/6035c1c8938fae85810de6aad1ecf6e2db663e26/conv.py" > conv.py # 复制私钥到工作目录 cp /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/<id>/private_key.json private_key.json #创建DER私钥 openssl asn1parse -noout -out private_key.der -genconf <(python conv.py private_key.json) # 转换到 PEM格式的私钥 openssl rsa -in private_key.der -inform der > account.key
3、创建域名证书请求文件(CSR)
#创建域名私钥 openssl genrsa 4096 > domain.key #单域名CSR用如下命令 openssl req -new -sha256 -key domain.key -subj "/CN=yoursite.com" > domain.csr #多域名CSR用如下命令(一般都至少要为根域和WWW申请证书吧) openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr
4、配置验证域名所有权的服务
#创建验证目录,我用的是 mkdir -p /home/wwwroot/challenges/
配置一个HTTP服务让LETSENCRYPT能下载验证文件
server { listen 80; server_name yoursite.com www.yoursite.com; location /.well-known/acme-challenge/ { alias /home/wwwroot/challenges/; try_files $uri =404; } ...the rest of your config }
5、获取签名证书
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wwwroot/challenges/ > ./signed.crt
在这一步遇到如下问题:
ValueError: Wrote file to /home/wwwroot/challenges/xxxxxxxxxxxxxxxxxxxxxxxxxxx, but couldn't download http://www.yoursite.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxx
DNS服务器是DNSPOD,letsencrypt无法解析域名造成的,最终把域名DNS服务器改到dns.he.net解决!
#用nginx还得合并中间证书 wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pem
6、安装证书 (以NGINX为例说明)
server { listen 443; server_name yoursite.com, www.yoursite.com; ssl on; ssl_certificate /path/to/chained.pem; ssl_certificate_key /path/to/domain.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; ssl_session_cache shared:SSL:50m; ssl_dhparam /path/to/server.dhparam; ssl_prefer_server_ciphers on; ...the rest of your config } server { listen 80; server_name yoursite.com, www.yoursite.com; location /.well-known/acme-challenge/ { alias /var/www/challenges/; try_files $uri =404; } ...the rest of your config }
7、创建自动更新脚本(证书有效期三个月,一般一个月更新一次吧)
vi ~/ssl/renew_cert.sh #!/usr/bin/sh python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt || exit wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem service nginx reload #赋予执行权限 chmod +x renew_cert.sh
加入crontab
0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log
转载请注明:凯泽de博客 » Acme-tiny:Let’s Encrypt证书自动脚本