StartSSL 切换到 Let’s Encrypt

收到StartSSL的邮件通知证书快到期了，加上前段时间说StartSSL把服务器放到Qihoo了；刚好换上Let’s Encrypt

官方推荐的工具（Let’s Encrypt Client）：https://github.com/certbot/certbot

https://github.com/diafygi/acme-tiny 这个客户端比官方的轻多了，比较了下决定用这个。

1.Create a Let’s Encrypt account private key

openssl genrsa 4096 > account.key

2.Create a certificate signing request (CSR) for your domains.

NOTE: you can’t use your account private key as your domain private key!

openssl genrsa 4096 > domain.key

#单个域名
openssl req -new -sha256 -key domain.key -subj "/CN=www.vparser.com" > domain.csr

#多个域名（这里用这个）
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:vparser.com,DNS:www.vparser.com")) > domain.csr

报错:
cat: /etc/ssl/openssl.cnf: No such file or directory
unable to find ‘distinguished_name’ in config
problems making Certificate Request
140168944265032:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name

把OpenSSL的配置文件换成存在的路径，例如：/etc/pki/tls/openssl.cnf

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:vparser.com,DNS:www.vparser.com")) > domain.csr

3.Make your website host challenge files

mkdir -p /data/www/challenges/

修改vhost配置文件：

server {
    listen 80;
    server_name yoursite.com www.yoursite.com;

    location /.well-known/acme-challenge/ {
        alias /data/www/challenges/;
        try_files $uri =404;
    }

    ...the rest of your config
}

nginx -s reload

4.Get a signed certificate!

wget -O - "https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py" > acme_tiny.py

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /data/www/challenges/ > ./signed.crt

5.Install the certificate

#NOTE: For nginx, you need to append the Let's Encrypt intermediate cert to your cert
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

    ssl_certificate /path/to/chained.pem;
    ssl_certificate_key /path/to/domain.key;

6.Setup an auto-renew cronjob (自动续签，有效期只有90天)

将

    location /.well-known/acme-challenge/ {
        alias /data/www/challenges/;
        try_files $uri =404;
    }

移到https段

server {
listen 80;
server_name www.vparser.com vparser.com;
rewrite ^/(.*) https://$server_name/$1 permanent;
}

server {
listen 443 ssl http2;
……

server_name www.vparser.com vparser.com;


location /.well-known/acme-challenge/ {
 alias /data/www/challenges/;
 try_files $uri =404;
}

……
}

增加定时脚本：

#!/usr/bin/sh
python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /data/www/challenges/ > /tmp/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem
service nginx reload

crontab -e or vi /etc/crontab

#example line in your crontab (runs once per month)
0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log

未经允许不得转载：ganlei的个人博客 » StartSSL 切换到 Let’s Encrypt