acme deployment https certificate

Introduction

Here are Let’s Encryptissued by the agency certificate.

Relevant information

Let’s Encrypt Official website: https: //letsencrypt.org/zh-cn/getting-started/

acme.sh Tutorial: https: //github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E

installation acme.sh

curl  https://get.acme.sh | sh

After executing the above command line, it will ~/.acme.sh/generate the relevant documents, and will crontabautomatically add a timing of the tasks performed in the morning every day.

Generating a Certificate

grammar:

acme.sh  --issue  -d 域名1 -d 域名2  --webroot  网站根目录

Example:

acme.sh  --issue  -d blog.zhangjianqiang.top  --webroot  /path/to/blog/

If you are prompted an error, you can add the command --debugto print out the details of the error message

If you are prompted curlan error, you can add the command line --use-wget, use wgetsubstitute curlto download the file

Installation / Copy Certificate

After running the above command, will ~/.acme.shhave a domain name with the corresponding folder in the directory, this is generated by the relevant certificate file, this directory is not easy to directly use our best to copy these files to the nginxpreparation of the next directory (if it is another server copy to the appropriate configuration directory)

nginx Example:

I usually use are nginxserver, so only show here nginxrelated operations, is useful if apachea server or other, please refer to the above documents address related operations

acme.sh --installcert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     "service nginx force-reload"

The above command, I found while testing service nginx force-reloadthe command No, I used here service nginx reload, then I restarted the nginxnot too sure service nginx reloadwhether it will refresh the configuration file, if you have not done these findings into force, then please重启 nginx

Update certificate

We have automatically added as a step in the installation certificate crontabprogram tasks are performed automatically updated when we certificates expire

nginx configuration

server
    {
        # 注意这里要这样写，我一开始写的 ssl on; 报错
        listen 443 ssl;
        server_name blog.zhangjianqaing.top ;
        # 开始证书的相关配置
        ssl_certificate /usr/local/nginx/conf/cert/blog.zhangjianqiang.top/cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert/blog.zhangjianqiang.top/key.pem;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        # 结束正常的相关配置
        # 下面放自己的其它配置 
    }

acme.sh update

Acme.sh upgrade to the latest version:

acme.sh --upgrade

If you do not want to manually upgrade, you can turn on automatic upgrade:

acme.sh  --upgrade  --auto-upgrade

After, acme.sh will automatically keep updated.

You can also turn off automatic updates at any time:

acme.sh --upgrade  --auto-upgrade  0