title: linux-free ssl certificate
categories: Linux
tags: [linux, xshell]
date: 2022-09-10 19:29:55
comments: false
mathjax: true
toc: true
linux-free ssl certificate
Prequel
- 33 ways to get SSL certificates for free - https://zhuanlan.zhihu.com/p/174755007
HTTPS certificate file format conversion
- HTTPS certificate file format conversion - https://ohttps.com/docs/certformat
The HTTPS certificate issued by Let's Encrypt generally includes the following files:
- cert.key (PEM format): private key file
- cert.cer (PEM format): certificate file
- fullchain.cer (PEM format): contains certificates and intermediate certificates
auto update script
- Official: https://github.com/acmesh-official/acme.sh
- A script upgrades the system to https, and it is free forever - https://segmentfault.com/a/1190000038367115
Take Alibaba Cloud domain name as an example
-
Download the auto-update script:
curl https://get.acme.sh | sh -s [email protected]
$ curl https://get.acme.sh | sh -s email=my@example.com % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 937 0 937 0 0 1741 0 --:--:-- --:--:-- --:--:-- 1738 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 212k 100 212k 0 0 231k 0 --:--:-- --:--:-- --:--:-- 231k [Wed Sep 14 02:32:00 UTC 2022] Installing from online archive. [Wed Sep 14 02:32:00 UTC 2022] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Wed Sep 14 02:32:02 UTC 2022] Extracting master.tar.gz [Wed Sep 14 02:32:02 UTC 2022] It is recommended to install socat first. [Wed Sep 14 02:32:02 UTC 2022] We use socat for standalone server if you use standalone mode. [Wed Sep 14 02:32:02 UTC 2022] If you don't use standalone mode, just ignore this warning. [Wed Sep 14 02:32:02 UTC 2022] Installing to /root/.acme.sh [Wed Sep 14 02:32:02 UTC 2022] Installed to /root/.acme.sh/acme.sh [Wed Sep 14 02:32:02 UTC 2022] Installing alias to '/root/.bashrc' [Wed Sep 14 02:32:02 UTC 2022] OK, Close and reopen your terminal to start using acme.sh [Wed Sep 14 02:32:02 UTC 2022] Installing cron job no crontab for root no crontab for root [Wed Sep 14 02:32:02 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred. [Wed Sep 14 02:32:03 UTC 2022] OK [Wed Sep 14 02:32:03 UTC 2022] Install success!
- Why specify an email address here?
- Because ZeroSSL is used by default, you need to specify the mailbox. Reference: https://www.xuchao.org/technology/acme-sh_is_using_zerossl_as_default_ca.html
- Why specify an email address here?
-
Create a script to execute:
vim a_start.sh
export Ali_Key="123123123" export Ali_Secret="456456456" ./acme.sh --issue --force --dns dns_ali -d *.aaa.com
- Ali_Key and Ali_Secret are the secret keys of Alibaba Cloud
--dns dns_ali
Refers to using the dnsapi/dns_ali.sh script-d *.aaa.com
It is a generic domain name, and multiple domain names can be -d single domain name
-
implement
a_start.sh
$ ./a_start.sh [Wed Sep 14 06:20:17 UTC 2022] Using CA: https://acme.zerossl.com/v2/DV90 [Wed Sep 14 06:20:17 UTC 2022] Creating domain key ... [Wed Sep 14 06:21:31 UTC 2022] Success ... [Wed Sep 14 06:22:22 UTC 2022] Cert success. -----BEGIN CERTIFICATE----- MIIGZjCCBE6gAwIBAgIRAPhQkXL9/u0f49Oj25dsgTUwDQYJKoZIhvcNAQEMBQAw SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T .... ei94GjqO39Wo5w== -----END CERTIFICATE----- [Wed Sep 14 06:22:22 UTC 2022] Your cert is in: /root/.acme.sh/*.aaa.com/*.aaa.com.cer [Wed Sep 14 06:22:22 UTC 2022] Your cert key is in: /root/.acme.sh/*.aaa.com/*.aaa.com.key [Wed Sep 14 06:22:22 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/*.aaa.com/ca.cer [Wed Sep 14 06:22:22 UTC 2022] And the full chain certs is there: /root/.acme.sh/*.aaa.com/fullchain.cer
generated to the specified path
-
Before generating, the directory where the path is located must exist first, after generating, you can execute the command to restart nginx
./acme.sh --issue --force --dns dns_ali -d *.aaa.cn \ --key-file /opt/nginx-cert/any.aaa.cn/any.aaa.cn.key \ --fullchain-file /opt/nginx-cert/any.aaa.cn/any.aaa.cn.cer \ --reloadcmd "service nginx force-reload"
ohttps
- https://ohttps.com/
-
use these two files
-
configure nginx
# cdn 服务 server { listen 443 ssl; server_name aaa.bbb.cn; root /webapps/cdn; # 存放文件的目录 location / { autoindex on; # 索引 autoindex_exact_size on; # 显示文件大小 autoindex_localtime on; # 显示文件时间 limit_rate 0; } # ssl ssl_certificate /opt/nginx-cert/aaa.bbb.cn/fullchain.cer; ssl_certificate_key /opt/nginx-cert/aaa.bbb.cn/cert.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/aaa.bbb.cn.log; }