收到StartSSL的邮件通知证书快到期了,加上前段时间说StartSSL把服务器放到Qihoo了;刚好换上Let’s Encrypt
官方推荐的工具(Let’s Encrypt Client):https://github.com/certbot/certbot
https://github.com/diafygi/acme-tiny 这个客户端比官方的轻多了,比较了下决定用这个。
1.Create a Let’s Encrypt account private key
openssl genrsa 4096 > account.key
2.Create a certificate signing request (CSR) for your domains.
NOTE: you can’t use your account private key as your domain private key!
openssl genrsa 4096 > domain.key
#单个域名
openssl req -new -sha256 -key domain.key -subj "/CN=www.vparser.com" > domain.csr
#多个域名(这里用这个)
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:vparser.com,DNS:www.vparser.com")) > domain.csr
报错:
cat: /etc/ssl/openssl.cnf: No such file or directory
unable to find ‘distinguished_name’ in config
problems making Certificate Request
140168944265032:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name
把OpenSSL的配置文件换成存在的路径,例如:/etc/pki/tls/openssl.cnf
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:vparser.com,DNS:www.vparser.com")) > domain.csr
3.Make your website host challenge files
mkdir -p /data/www/challenges/
修改vhost配置文件:
server { listen 80; server_name yoursite.com www.yoursite.com; location /.well-known/acme-challenge/ { alias /data/www/challenges/; try_files $uri =404; } ...the rest of your config }
nginx -s reload
4.Get a signed certificate!
wget -O - "https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py" > acme_tiny.py
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /data/www/challenges/ > ./signed.crt
5.Install the certificate
#NOTE: For nginx, you need to append the Let's Encrypt intermediate cert to your cert
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
ssl_certificate /path/to/chained.pem; ssl_certificate_key /path/to/domain.key;
6.Setup an auto-renew cronjob (自动续签,有效期只有90天)
将
location /.well-known/acme-challenge/ { alias /data/www/challenges/; try_files $uri =404; }
移到https段
server { listen 80; server_name www.vparser.com vparser.com; rewrite ^/(.*) https://$server_name/$1 permanent; } server { listen 443 ssl http2; …… server_name www.vparser.com vparser.com; location /.well-known/acme-challenge/ { alias /data/www/challenges/; try_files $uri =404; } …… }
增加定时脚本:
#!/usr/bin/sh python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /data/www/challenges/ > /tmp/signed.crt || exit wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem service nginx reload
crontab -e or vi /etc/crontab
#example line in your crontab (runs once per month)
0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log
未经允许不得转载:ganlei的个人博客 » StartSSL 切换到 Let’s Encrypt
我觉得是雷灵根
然后带小姨子跑?
然后带小姨子跑?