Linux installs free Https certificate, expires and automatically updates
acme.sh
This service can kindly help us obtain free certificates and realize automatic renewal operations when they expire
Official website: https://github.com/acmesh-official/acme.sh
introduce
Hi! Today I want to talk to you about how to use acme.sh and Nginx to generate an HTTPS certificate.
First, let me give you a brief introduction to acme.sh. acme.sh is an open source certificate application and management tool that can help you easily obtain and automatically renew HTTPS certificates. It is written based on Unix shell scripts, making it very easy to use and deploy. It is a very convenient certificate application and management tool that can help us easily obtain and automatically update HTTPS certificates. It supports various certificate authorities, including Let's Encrypt, Alibaba Cloud, DigiCert, etc.
Install acme.sh
Enter home
directory
cd ~
Get the script file
curl https://get.acme.sh | sh -s email=[email protected]
国内可能访问GitHub受限
, follow wx official account: 一颗星宇宙
, send: 免费证书
get
Enter directory
cd acme.sh
download
./acme.sh --install -m [email protected]
Create shortcut commands
alias acme.sh=~/.acme.sh/acme.sh
acme.sh
In this way, the command can be used directly on the server
Generate certificate using Nginx method
generate certificate
acme.sh --issue -d mydomain.com --nginx
The ginx conf file cannot be found automatically, you can specify one:
acme.sh --issue -d example.com --nginx /etc/nginx/nginx.conf
mydomain.com
It is your own domain name, second-level or first-level domain name, etc.
The address of the generated certificate file is in /root/.acme.sh/mydomain.com/
the directory below
View the generated certificate
ls /root/.acme.sh/mydomain.com/
After the certificate generation is completed, copy/copy to the specified directory
After the previous certificate is generated, the next step is to copy the certificate to the place where it is really needed.
Note that the certificates generated by default are placed in the installation directory: ~/.acme.sh/
, please do not use the files in this directory directly, for example: do not directly let the nginx/apache configuration file use the following files. The files here are for internal use. And the directory structure may change.
The correct way to use is to use --install-cert
the command and specify the target location, then the certificate file will be copied to the corresponding location, for example:
Nginx example:
acme.sh --install-cert -d example.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx force-reload"
(A small reminder, it is used here service nginx force-reload
, not service nginx reload
, according to the test, reload
the certificate will not be reloaded, so it is used force-reload
)
The configuration of Nginx ssl_certificate
should be used /etc/nginx/ssl/fullchain.cer
instead of , /etc/nginx/ssl/<domain>.cer
otherwise the SSL Labs test will report Chain issues Incomplete
an error.
--install-cert
The command can carry many parameters to specify the target file. And reloadcmd can be specified. When the certificate is updated, reloadcmd will be automatically called to make the server effective.
access
Already succeeded
The actual configuration is a secure connection!