linux-free ssl certificate

---

title: linux-free ssl certificate
categories: Linux
tags: [linux, xshell]
date: 2022-09-10 19:29:55
comments: false
mathjax: true
toc: true

linux-free ssl certificate

---

Prequel

• 33 ways to get SSL certificates for free - https://zhuanlan.zhihu.com/p/174755007

---

HTTPS certificate file format conversion

• HTTPS certificate file format conversion - https://ohttps.com/docs/certformat

The HTTPS certificate issued by Let's Encrypt generally includes the following files:

• cert.key (PEM format): private key file
• cert.cer (PEM format): certificate file
• fullchain.cer (PEM format): contains certificates and intermediate certificates

---

auto update script

• Official: https://github.com/acmesh-official/acme.sh
• A script upgrades the system to https, and it is free forever - https://segmentfault.com/a/1190000038367115

Take Alibaba Cloud domain name as an example

1. Download the auto-update script:curl https://get.acme.sh | sh -s [email protected]

   $ curl https://get.acme.sh | sh -s email=my@example.com
   
     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100   937    0   937    0     0   1741      0 --:--:-- --:--:-- --:--:--  1738
     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100  212k  100  212k    0     0   231k      0 --:--:-- --:--:-- --:--:--  231k
   [Wed Sep 14 02:32:00 UTC 2022] Installing from online archive.
   [Wed Sep 14 02:32:00 UTC 2022] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
   [Wed Sep 14 02:32:02 UTC 2022] Extracting master.tar.gz
   [Wed Sep 14 02:32:02 UTC 2022] It is recommended to install socat first.
   [Wed Sep 14 02:32:02 UTC 2022] We use socat for standalone server if you use standalone mode.
   [Wed Sep 14 02:32:02 UTC 2022] If you don't use standalone mode, just ignore this warning.
   [Wed Sep 14 02:32:02 UTC 2022] Installing to /root/.acme.sh
   [Wed Sep 14 02:32:02 UTC 2022] Installed to /root/.acme.sh/acme.sh
   [Wed Sep 14 02:32:02 UTC 2022] Installing alias to '/root/.bashrc'
   [Wed Sep 14 02:32:02 UTC 2022] OK, Close and reopen your terminal to start using acme.sh
   [Wed Sep 14 02:32:02 UTC 2022] Installing cron job
   no crontab for root
   no crontab for root
   [Wed Sep 14 02:32:02 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred.
   [Wed Sep 14 02:32:03 UTC 2022] OK
   [Wed Sep 14 02:32:03 UTC 2022] Install success!
   

   • Why specify an email address here?
     • Because ZeroSSL is used by default, you need to specify the mailbox. Reference: https://www.xuchao.org/technology/acme-sh_is_using_zerossl_as_default_ca.html

2. Create a script to execute:vim a_start.sh

   export Ali_Key="123123123"
   export Ali_Secret="456456456"
   ./acme.sh --issue --force --dns dns_ali -d *.aaa.com
   

   • Ali_Key and Ali_Secret are the secret keys of Alibaba Cloud
   • --dns dns_aliRefers to using the dnsapi/dns_ali.sh script
   • -d *.aaa.comIt is a generic domain name, and multiple domain names can be -d single domain name

3. implementa_start.sh

   $ ./a_start.sh
   
   [Wed Sep 14 06:20:17 UTC 2022] Using CA: https://acme.zerossl.com/v2/DV90
   [Wed Sep 14 06:20:17 UTC 2022] Creating domain key
   ...
   [Wed Sep 14 06:21:31 UTC 2022] Success
   ...
   [Wed Sep 14 06:22:22 UTC 2022] Cert success.
   -----BEGIN CERTIFICATE-----
   MIIGZjCCBE6gAwIBAgIRAPhQkXL9/u0f49Oj25dsgTUwDQYJKoZIhvcNAQEMBQAw
   SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
   ....
   ei94GjqO39Wo5w==
   -----END CERTIFICATE-----
   [Wed Sep 14 06:22:22 UTC 2022] Your cert is in: /root/.acme.sh/*.aaa.com/*.aaa.com.cer
   [Wed Sep 14 06:22:22 UTC 2022] Your cert key is in: /root/.acme.sh/*.aaa.com/*.aaa.com.key
   [Wed Sep 14 06:22:22 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/*.aaa.com/ca.cer
   [Wed Sep 14 06:22:22 UTC 2022] And the full chain certs is there: /root/.acme.sh/*.aaa.com/fullchain.cer
   
   
   
   

---

generated to the specified path

• Before generating, the directory where the path is located must exist first, after generating, you can execute the command to restart nginx

  ./acme.sh --issue --force --dns dns_ali -d *.aaa.cn \
  --key-file       /opt/nginx-cert/any.aaa.cn/any.aaa.cn.key \
  --fullchain-file       /opt/nginx-cert/any.aaa.cn/any.aaa.cn.cer \
  --reloadcmd     "service nginx force-reload"
  
  
  
  

---

ohttps

• https://ohttps.com/

1. use these two files

   

2. configure nginx

   # cdn 服务
   server
   {
         
         
       listen 443 ssl;
       server_name aaa.bbb.cn;
       root /webapps/cdn; # 存放文件的目录
       location / {
         
         
         autoindex on; # 索引
         autoindex_exact_size on; # 显示文件大小
         autoindex_localtime on; # 显示文件时间
         limit_rate 0;
       }
   
       # ssl
       ssl_certificate /opt/nginx-cert/aaa.bbb.cn/fullchain.cer;
       ssl_certificate_key /opt/nginx-cert/aaa.bbb.cn/cert.key;
       ssl_session_timeout 5m;
       ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       access_log /var/log/nginx/aaa.bbb.cn.log;
   }
   
   
   
   

---