Introduction
Here are Let’s Encrypt
issued by the agency certificate.
Relevant information
Let’s Encrypt
Official website: https: //letsencrypt.org/zh-cn/getting-started/
acme.sh
Tutorial: https: //github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E
installation acme.sh
curl https://get.acme.sh | sh
After executing the above command line, it will ~/.acme.sh/
generate the relevant documents, and will crontab
automatically add a timing of the tasks performed in the morning every day.
Generating a Certificate
grammar:
acme.sh --issue -d 域名1 -d 域名2 --webroot 网站根目录
Example:
acme.sh --issue -d blog.zhangjianqiang.top --webroot /path/to/blog/
If you are prompted an error, you can add the command --debug
to print out the details of the error message
If you are prompted curl
an error, you can add the command line --use-wget
, use wget
substitute curl
to download the file
Installation / Copy Certificate
After running the above command, will ~/.acme.sh
have a domain name with the corresponding folder in the directory, this is generated by the relevant certificate file, this directory is not easy to directly use our best to copy these files to the nginx
preparation of the next directory (if it is another server copy to the appropriate configuration directory)
nginx
Example:
I usually use are nginx
server, so only show here nginx
related operations, is useful if apache
a server or other, please refer to the above documents address related operations
acme.sh --installcert -d example.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx force-reload"
The above command, I found while testing service nginx force-reload
the command No, I used here service nginx reload
, then I restarted the nginx
not too sure service nginx reload
whether it will refresh the configuration file, if you have not done these findings into force, then please重启 nginx
Update certificate
We have automatically added as a step in the installation certificate crontab
program tasks are performed automatically updated when we certificates expire
nginx configuration
server
{
# 注意这里要这样写,我一开始写的 ssl on; 报错
listen 443 ssl;
server_name blog.zhangjianqaing.top ;
# 开始证书的相关配置
ssl_certificate /usr/local/nginx/conf/cert/blog.zhangjianqiang.top/cert.pem;
ssl_certificate_key /usr/local/nginx/conf/cert/blog.zhangjianqiang.top/key.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# 结束正常的相关配置
# 下面放自己的其它配置
}
acme.sh update
Acme.sh upgrade to the latest version:
acme.sh --upgrade
If you do not want to manually upgrade, you can turn on automatic upgrade:
acme.sh --upgrade --auto-upgrade
After, acme.sh will automatically keep updated.
You can also turn off automatic updates at any time:
acme.sh --upgrade --auto-upgrade 0