http://happysoul.iteye.com/blog/2390306
This time I put a shell+python script that does not require too many methods (the whole process needs to access the Internet and call the website) For identity verification, you need to ensure that you can connect to the Internet)
local files before running
quote
letsencrypt.conf
letsencrypt.sh
Execute code log interception
root@localhost:~/acme_py# ./letsencrypt.sh letsencrypt.conf Generate account key... Generating RSA private key, 4096 bit long modulus ...........++ .........................++ e is 65537 (0x10001) Generate domain key... Generating RSA private key, 2048 bit long modulus ..........................+++ ................+++ e is 65537 (0x10001) Generate CSR...domain.csr Parsing account key... Parsing CSR... Registering account... Registered! Verifying Hidden.f3322.net... Hide.f3322.net verified! Signing certificate... Certificate signed! New cert: domain.chained.crt has been generated
ls shows local files
quote
account.key
acme_tiny.py
domain.chained.crt
domain.crt
domain.csr
domain.key
letsencrypt.conf
letsencrypt.sh
lets-encrypt-x3-cross-signed.pem
Paste configuration and run files
#!/bin/bash
# Usage: /etc/nginx/certs/letsencrypt.sh /etc/nginx/certs/letsencrypt.conf
CONFIG=$1
ACME_TINY="/tmp/acme_tiny.py"
DOMAIN_KEY=""
if [ -f "$CONFIG" ];then
. "$CONFIG"
DIRNAME=$(dirname "$CONFIG")
cd "$DIRNAME" || exit 1
else
echo "ERROR CONFIG."
exit 1
be
KEY_PREFIX="${DOMAIN_KEY%%.*}"
DOMAIN_CRT="$KEY_PREFIX.crt"
DOMAIN_PEM="$KEY_PREFIX.pem"
DOMAIN_CSR="$KEY_PREFIX.csr"
DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt"
if [ ! -f "$ACCOUNT_KEY" ];then
echo "Generate account key..."
openssl genrsa 4096 > "$ACCOUNT_KEY"
be
if [ ! -f "$DOMAIN_KEY" ];then
echo "Generate domain key..."
if [ "$ECC" = "TRUE" ];then
openssl ecparam -genkey -name secp256r1 | openssl ec -out "$DOMAIN_KEY"
else
openssl genrsa 2048 > "$DOMAIN_KEY"
be
be
echo "Generate CSR...$DOMAIN_CSR"
OPENSSL_CONF="/etc/ssl/openssl.cnf"
if [ ! -f "$OPENSSL_CONF" ];then
OPENSSL_CONF="/etc/pki/tls/openssl.cnf"
if [ ! -f "$OPENSSL_CONF" ];then
echo "Error, file openssl.cnf not found."
exit 1
be
be
openssl req -new -sha256 -key "$DOMAIN_KEY" -subj "/" -reqexts SAN -config <(cat $OPENSSL_CONF <(printf "[SAN]\nsubjectAltName=%s" "$DOMAINS")) > "$DOMAIN_CSR"
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py --no-check-certificate -O $ACME_TINY -o /dev/null
if [ -f "$DOMAIN_CRT" ];then
mv "$DOMAIN_CRT" "$DOMAIN_CRT-OLD-$(date +%y%m%d-%H%M%S)"
be
DOMAIN_DIR="$DOMAIN_DIR/.well-known/acme-challenge/"
mkdir -p "$DOMAIN_DIR"
python $ACME_TINY --account-key "$ACCOUNT_KEY" --csr "$DOMAIN_CSR" --acme-dir "$DOMAIN_DIR" > "$DOMAIN_CRT"
if [ "$?" != 0 ];then
exit 1
be
if [ ! -f "lets-encrypt-x3-cross-signed.pem" ];then
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem --no-check-certificate -o /dev/null
be
cat "$DOMAIN_CRT" lets-encrypt-x3-cross-signed.pem > "$DOMAIN_CHAINED_CRT"
if [ "$LIGHTTPD" = "TRUE" ];then
cat "$DOMAIN_KEY" "$DOMAIN_CRT" > "$DOMAIN_PEM"
echo -e "\e[01;32mNew pem: $DOMAIN_PEM has been generated\e[0m"
be
echo -e "\e[01;32mNew cert: $DOMAIN_CHAINED_CRT has been generated\e[0m"
#service nginx reload
# only modify the values, key files will be generated automaticly. ACCOUNT_KEY="account.key" DOMAIN_KEY="domain.key" DOMAIN_DIR="/www/" DOMAINS="DNS:hidden.f3322.net" #ECC=TRUE #LIGHTTPD=TRUE
If there are multiple domain names can be separated by commas, for example
quote
DOMAINS="DNS:ww1.f3322.net,DNS:ww2.f3322.net,DNS:ww3.f3322.net"
The next step is to configure the nginx certificate. See the previous article.
Finally , the script and the built-in downloaded py and pem are provided for reference.