前言

本文转自全球主机论坛，网友skywing所发

发此文的主要缘由为保存技术教程档案为以后备用

源码地址

https://github.com/diafygi/acme-tiny

安装步骤

1、此脚本需要python和openssl支持，LINUX一般都自带，没有请自行安装 开始之前创建一个文件夹存放文件

mkdir ~/letsencrypt

cd ~/letsencrypt

2、创建一个 Let’s Encrypt账户私钥，以便让其识别你的身份

openssl genrsa 4096 > account.key

如已用官方工具生成私钥，需要将其转换为acme-tiny支持的PEM格式

# 下载转换脚本

wget -O - "https://gist.githubusercontent.com/JonLundy/f25c99ee0770e19dc595/raw/6035c1c8938fae85810de6aad1ecf6e2db663e26/conv.py" > conv.py

# 复制私钥到工作目录

cp /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/<id>/private_key.json private_key.json

#创建DER私钥

openssl asn1parse -noout -out private_key.der -genconf <(python conv.py private_key.json)

# 转换到 PEM格式的私钥

openssl rsa -in private_key.der -inform der > account.key

3、创建域名证书请求文件(CSR)

#创建域名私钥
 openssl genrsa 4096 > domain.key
 #单域名CSR用如下命令
 openssl req -new -sha256 -key domain.key -subj "/CN=yoursite.com" > domain.csr
 #多域名CSR用如下命令（一般都至少要为根域和WWW申请证书吧）
 openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr

4、配置验证域名所有权的服务

#创建验证目录，我用的是

mkdir -p /home/wwwroot/challenges/

配置一个HTTP服务让LETSENCRYPT能下载验证文件

server {
 listen 80;
 server_name yoursite.com www.yoursite.com;

 location /.well-known/acme-challenge/ {
 alias /home/wwwroot/challenges/;
 try_files $uri =404;
 }

 ...the rest of your config
}

5、获取签名证书

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wwwroot/challenges/ > ./signed.crt

在这一步遇到如下问题：

ValueError: Wrote file to /home/wwwroot/challenges/xxxxxxxxxxxxxxxxxxxxxxxxxxx, but couldn't download http://www.yoursite.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxx

DNS服务器是DNSPOD，letsencrypt无法解析域名造成的，最终把域名DNS服务器改到dns.he.net解决！

#用nginx还得合并中间证书
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

6、安装证书 （以NGINX为例说明）

server {
 listen 443;
 server_name yoursite.com, www.yoursite.com;

 ssl on;
 ssl_certificate /path/to/chained.pem;
 ssl_certificate_key /path/to/domain.key;
 ssl_session_timeout 5m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
 ssl_session_cache shared:SSL:50m;
 ssl_dhparam /path/to/server.dhparam;
 ssl_prefer_server_ciphers on;

 ...the rest of your config
}

server {
 listen 80;
 server_name yoursite.com, www.yoursite.com;

 location /.well-known/acme-challenge/ {
 alias /var/www/challenges/;
 try_files $uri =404;
 }

 ...the rest of your config
}

7、创建自动更新脚本（证书有效期三个月，一般一个月更新一次吧）

vi ~/ssl/renew_cert.sh
#!/usr/bin/sh
python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem
service nginx reload
#赋予执行权限
chmod +x renew_cert.sh

加入crontab

0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log

转载请注明：凯泽de博客 » Acme-tiny:Let’s Encrypt证书自动脚本