python acme_使用 acme-tiny 工具生成 Let's Encrypt 的免费 SSL 证书
下载 acme-tiny
创建用户私钥和域名私钥 "创建用户私钥和域名私钥")创建用户私钥和域名私钥
mkdir -p /etc/ssl/letsencrypt/
cd /etc/ssl/letsencrypt/
openssl genrsa 4096 > account.key
openssl genrsa 4096 > domain.key
生成域名 csr 文件 "生成域名 csr 文件")生成域名 csr 文件
单域名
openssl req -new -sha256 -key domain.key -subj "/CN=www.yoursite.com" > domain.csr
多域名
ln -s /etc/pki/tls/openssl.cnf /etc/ssl/openssl.cnf
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config domain.csr
配置 Web 站点的 challenge 文件 "配置 Web 站点的 challenge 文件")配置 Web 站点的 challenge 文件
mkdir -p /var/www/challenges/
#example for nginx
server {
listen 80;
server_name yoursite.com www.yoursite.com;
location /.well-known/acme-challenge/ {
alias /var/www/challenges/;
try_files $uri =404;
}
...the rest of your config
}
生成 signed 文件 "生成 signed 文件")生成 signed 文件
wget -c https://raw.githubusercontent.com/yangphere/acme-tiny/master/acme_tiny.py --no-check-certificate
python acme_tiny.py --account-key /etc/ssl/letsencrypt/account.key --csr /etc/ssl/letsencrypt/domain.csr --acme-dir /var/www/challenges/ > /etc/ssl/letsencrypt/signed.crt
生成证书链 "生成证书链")生成证书链
v1 版,兼容性差点
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/ssl/letsencrypt/intermediate.pem
cat /etc/ssl/letsencrypt/signed.crt /etc/ssl/letsencrypt/intermediate.pem > /etc/ssl/letsencrypt/chained.pem
建议使用 v3 版
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /etc/ssl/letsencrypt/intermediate.pem
cat /etc/ssl/letsencrypt/signed.crt /etc/ssl/letsencrypt/intermediate.pem > /etc/ssl/letsencrypt/chained.pem
生成 dh 证书 "生成 dh 证书")生成 dh 证书
openssl dhparam -out dhparam.pem 2048
配置 nginx 使 SSL 证书生效 "配置 nginx 使 SSL 证书生效")配置 nginx 使 SSL 证书生效
server {
listen 443;
server_name yoursite.com, www.yoursite.com;
ssl on;
ssl_certificate /etc/ssl/letsencrypt/chained.pem;
ssl_certificate_key /etc/ssl/letsencrypt/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/letsencrypt/dhparam.pem;
ssl_prefer_server_ciphers on;
...the rest of your config
}
server {
listen 80;
server_name yoursite.com, www.yoursite.com;
location /.well-known/acme-challenge/ {
alias /var/www/challenges/;
try_files $uri =404;
}
...the rest of your config
}
重启 nginx 服务 "重启 nginx 服务")重启 nginx 服务
service nginx reload
自动生成 SSL 证书 "自动生成 SSL 证书")自动生成 SSL 证书
由于 Let’s Encrypt 的证书只有 90 天的有效期,需要使用系统每个月生成一次。编辑 renew_cert.sh 文件
以下是 v1 版,兼容性差点
#!/usr/bin/shpython /etc/ssl/letsencrypt/acme_tiny.py --account-key /etc/ssl/letsencrypt/account.key --csr /etc/ssl/letsencrypt/domain.csr --acme-dir /var/www/challenges/ > /etc/ssl/letsencrypt/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > /etc/ssl/letsencrypt/intermediate.pem
cat /etc/ssl/letsencrypt/signed.crt /etc/ssl/letsencrypt/intermediate.pem > /etc/ssl/letsencrypt/chained.pem
service nginx reload
建议使用 v3 版
#!/usr/bin/shpython /etc/ssl/letsencrypt/acme_tiny.py --account-key /etc/ssl/letsencrypt/account.key --csr /etc/ssl/letsencrypt/domain.csr --acme-dir /var/www/challenges/ > /etc/ssl/letsencrypt/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /etc/ssl/letsencrypt/intermediate.pem
cat /etc/ssl/letsencrypt/signed.crt /etc/ssl/letsencrypt/intermediate.pem > /etc/ssl/letsencrypt/chained.pem
service nginx reload
添加可执行权限
chmod +x renew_cert.sh
编辑 crontab 文件
crontab -e
加入如下内容
0 0 1 * * /etc/ssl/letsencrypt/renew_cert.sh 2>> /var/log/acme_tiny.log
重启 crontab 服务
service crond restart
测试一下 SSL 质量 "测试一下 SSL 质量")测试一下 SSL 质量