当前位置: 首页 > 工具软件 > Acme-Tiny > 使用案例 >

python acme_python小工具: TLS 证书加密,Acme-Tiny

阴永逸
2023-12-01

前言

安全传输层协议(TLS)用于在两个通信应用程序之间提供保密性和数据完整性。该协议由两层组成: TLS 记录协议(TLS Record)和 TLS 握手协议(TLS Handshake)。较低的层为 TLS 记录协议,位于某个可靠的传输协议(例如 TCP)上面,与具体的应用无关,所以,一般把TLS协议归为传输层安全协议。

Acme-Tiny 是采用Python编写的,一款轻量级的TLS 证书加密工具。

使用

获取秘钥

openssl genrsa 4096 > account.key

使用现有的秘钥

# Download the script

wget -O - "https://gist.githubusercontent.com/JonLundy/f25c99ee0770e19dc595/raw/6035c1c8938fae85810de6aad1ecf6e2db663e26/conv.py" > conv.py

# Copy your private key to your working directory

cp /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory//private_key.json private_key.json

# Create a DER encoded private key

openssl asn1parse -noout -out private_key.der -genconf

# Convert to PEM

openssl rsa -in private_key.der -inform der > account.key

小编推荐一个学python的学习qun 740322234

无论你是大牛还是小白,是想转行还是想入行都可以来了解一起进步一起学习!裙内有开发工具,很多干货和技术资料分享!

创建证书签名请求 (CSR) 的域名

#generate a domain private key (if you haven't already)

openssl genrsa 4096 > domain.key

#for a single domain

openssl req -new -sha256 -key domain.key -subj "/CN=yoursite.com" > domain.csr

#for multiple domains (use this one if you want both www.yoursite.com and yoursite.com)

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config

关联到网站主机

#example for nginx

server {

listen 80;

server_name yoursite.com www.yoursite.com;

location /.well-known/acme-challenge/ {

alias /var/www/challenges/;

try_files $uri =404;

}

...the rest of your config

}

获取签名证书

#run the script on your server

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt

安装证书

server {

listen 443;

server_name yoursite.com, www.yoursite.com;

ssl on;

ssl_certificate /path/to/chained.pem;

ssl_certificate_key /path/to/domain.key;

ssl_session_timeout 5m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;

ssl_session_cache shared:SSL:50m;

ssl_dhparam /path/to/server.dhparam;

ssl_prefer_server_ciphers on;

...the rest of your config

}

server {

listen 80;

server_name yoursite.com, www.yoursite.com;

location /.well-known/acme-challenge/ {

alias /var/www/challenges/;

try_files $uri =404;

}

...the rest of your config

}

设置自动更新

#!/usr/bin/shpython /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt || exitwget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem

cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem

service nginx reload

 类似资料: