http://happysoul.iteye.com/blog/2390306
This time I put a shell+python script that does not require too many methods (the whole process needs to access the Internet and call the website) For identity verification, you need to ensure that you can connect to the Internet)
local files before running
quote
letsencrypt.conf
letsencrypt.sh
Execute code log interception
root@localhost:~/acme_py# ./letsencrypt.sh letsencrypt.conf Generate account key... Generating RSA private key, 4096 bit long modulus ...........++ .........................++ e is 65537 (0x10001) Generate domain key... Generating RSA private key, 2048 bit long modulus ..........................+++ ................+++ e is 65537 (0x10001) Generate CSR...domain.csr Parsing account key... Parsing CSR... Registering account... Registered! Verifying Hidden.f3322.net... Hide.f3322.net verified! Signing certificate... Certificate signed! New cert: domain.chained.crt has been generated
ls shows local files
quote
account.key
acme_tiny.py
domain.chained.crt
domain.crt
domain.csr
domain.key
letsencrypt.conf
letsencrypt.sh
lets-encrypt-x3-cross-signed.pem
Paste configuration and run files
#!/bin/bash # Usage: /etc/nginx/certs/letsencrypt.sh /etc/nginx/certs/letsencrypt.conf CONFIG=$1 ACME_TINY="/tmp/acme_tiny.py" DOMAIN_KEY="" if [ -f "$CONFIG" ];then . "$CONFIG" DIRNAME=$(dirname "$CONFIG") cd "$DIRNAME" || exit 1 else echo "ERROR CONFIG." exit 1 be KEY_PREFIX="${DOMAIN_KEY%%.*}" DOMAIN_CRT="$KEY_PREFIX.crt" DOMAIN_PEM="$KEY_PREFIX.pem" DOMAIN_CSR="$KEY_PREFIX.csr" DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt" if [ ! -f "$ACCOUNT_KEY" ];then echo "Generate account key..." openssl genrsa 4096 > "$ACCOUNT_KEY" be if [ ! -f "$DOMAIN_KEY" ];then echo "Generate domain key..." if [ "$ECC" = "TRUE" ];then openssl ecparam -genkey -name secp256r1 | openssl ec -out "$DOMAIN_KEY" else openssl genrsa 2048 > "$DOMAIN_KEY" be be echo "Generate CSR...$DOMAIN_CSR" OPENSSL_CONF="/etc/ssl/openssl.cnf" if [ ! -f "$OPENSSL_CONF" ];then OPENSSL_CONF="/etc/pki/tls/openssl.cnf" if [ ! -f "$OPENSSL_CONF" ];then echo "Error, file openssl.cnf not found." exit 1 be be openssl req -new -sha256 -key "$DOMAIN_KEY" -subj "/" -reqexts SAN -config <(cat $OPENSSL_CONF <(printf "[SAN]\nsubjectAltName=%s" "$DOMAINS")) > "$DOMAIN_CSR" wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py --no-check-certificate -O $ACME_TINY -o /dev/null if [ -f "$DOMAIN_CRT" ];then mv "$DOMAIN_CRT" "$DOMAIN_CRT-OLD-$(date +%y%m%d-%H%M%S)" be DOMAIN_DIR="$DOMAIN_DIR/.well-known/acme-challenge/" mkdir -p "$DOMAIN_DIR" python $ACME_TINY --account-key "$ACCOUNT_KEY" --csr "$DOMAIN_CSR" --acme-dir "$DOMAIN_DIR" > "$DOMAIN_CRT" if [ "$?" != 0 ];then exit 1 be if [ ! -f "lets-encrypt-x3-cross-signed.pem" ];then wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem --no-check-certificate -o /dev/null be cat "$DOMAIN_CRT" lets-encrypt-x3-cross-signed.pem > "$DOMAIN_CHAINED_CRT" if [ "$LIGHTTPD" = "TRUE" ];then cat "$DOMAIN_KEY" "$DOMAIN_CRT" > "$DOMAIN_PEM" echo -e "\e[01;32mNew pem: $DOMAIN_PEM has been generated\e[0m" be echo -e "\e[01;32mNew cert: $DOMAIN_CHAINED_CRT has been generated\e[0m" #service nginx reload
# only modify the values, key files will be generated automaticly. ACCOUNT_KEY="account.key" DOMAIN_KEY="domain.key" DOMAIN_DIR="/www/" DOMAINS="DNS:hidden.f3322.net" #ECC=TRUE #LIGHTTPD=TRUE
If there are multiple domain names can be separated by commas, for example
quote
DOMAINS="DNS:ww1.f3322.net,DNS:ww2.f3322.net,DNS:ww3.f3322.net"
The next step is to configure the nginx certificate. See the previous article.
Finally , the script and the built-in downloaded py and pem are provided for reference.