Linux installs free Https certificate, expires and automatically updates money-saving cheats

Linux installs free Https certificate, expires and automatically updates

acme.shThis service can kindly help us obtain free certificates and realize automatic renewal operations when they expire

Official website: https://github.com/acmesh-official/acme.sh

introduce

Hi! Today I want to talk to you about how to use acme.sh and Nginx to generate an HTTPS certificate.

First, let me give you a brief introduction to acme.sh. acme.sh is an open source certificate application and management tool that can help you easily obtain and automatically renew HTTPS certificates. It is written based on Unix shell scripts, making it very easy to use and deploy. It is a very convenient certificate application and management tool that can help us easily obtain and automatically update HTTPS certificates. It supports various certificate authorities, including Let's Encrypt, Alibaba Cloud, DigiCert, etc.

Install acme.sh

Enter homedirectory

cd ~

Get the script file

curl https://get.acme.sh | sh -s email=[email protected]

国内可能访问GitHub受限, follow wx official account: 一颗星宇宙, send: 免费证书get

Enter directory

cd acme.sh

download

./acme.sh --install -m [email protected]

Create shortcut commands

alias acme.sh=~/.acme.sh/acme.sh

acme.shIn this way, the command can be used directly on the server

Generate certificate using Nginx method

generate certificate

acme.sh --issue -d mydomain.com --nginx

The ginx conf file cannot be found automatically, you can specify one:

acme.sh  --issue  -d example.com  --nginx /etc/nginx/nginx.conf

mydomain.comIt is your own domain name, second-level or first-level domain name, etc.

The address of the generated certificate file is in /root/.acme.sh/mydomain.com/the directory below

View the generated certificate

ls /root/.acme.sh/mydomain.com/

After the certificate generation is completed, copy/copy to the specified directory

After the previous certificate is generated, the next step is to copy the certificate to the place where it is really needed.

Note that the certificates generated by default are placed in the installation directory: ~/.acme.sh/, please do not use the files in this directory directly, for example: do not directly let the nginx/apache configuration file use the following files. The files here are for internal use. And the directory structure may change.

The correct way to use is to use --install-certthe command and specify the target location, then the certificate file will be copied to the corresponding location, for example:

Nginx example:

acme.sh --install-cert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     "service nginx force-reload"

(A small reminder, it is used here service nginx force-reload, not service nginx reload, according to the test, reloadthe certificate will not be reloaded, so it is used force-reload)

The configuration of Nginx ssl_certificateshould be used /etc/nginx/ssl/fullchain.cerinstead of , /etc/nginx/ssl/<domain>.cerotherwise the SSL Labs test will report Chain issues Incompletean error.

--install-certThe command can carry many parameters to specify the target file. And reloadcmd can be specified. When the certificate is updated, reloadcmd will be automatically called to make the server effective.

access

Already succeeded

The actual configuration is a secure connection!

wx public account:一颗星宇宙