Note This tutorial is operating in centos 7, similar to other Linux systems. Reference 1 Reference 2 due renewal operation
1) by acme.shobtaining a certificate ways, wall cracked recommend this method
2) a method of increasing a certificate can be obtained by mirroring docker
First, the acme.shway
1. Obtainacme.sh
curl https://get.acme.sh | sh
Successful installation shown below
Note: I'm having problems on centos 7 after installation execution acme.sh, did not find the command prompt, if you encounter the same problem with me, please turn off the terminal before landing, or execute the following command:
source ~/.bashrc
2. Start to obtain a certificate
acme.shThe power of that can automatically configure DNS, do not go behind the scenes to resolve the domain name record, my domain name is registered in Ali, Ali cloud resolution examples given below, please refer to the rest of the registered amend its own here: Portal
Please go to get Ali cloud background App_Keywith App_Secret the portal , and then execute the following script
# 替换成从阿里云后台获取的密钥
export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"
# 换成自己的域名
acme.sh --issue --dns dns_ali -d zhuziyu.cn -d *.zhuziyu.cn
This is by way of the thread to sleep waiting 120 seconds DNS to take effect, it is necessary to wait at least two minutes
At this step you're done, Sahua
Generated certificate in the directory: ~/acme.sh/domain/
The following is an example of the application certificate Nginx:
# domain自行替换成自己的域名
server {
server_name xx.domain.com;
listen 443 http2 ssl;
ssl_certificate /path/.acme.sh/domain/fullchain.cer;
ssl_certificate_key /path/.acme.sh/domain/domain.key;
ssl_trusted_certificate /path/.acme.sh/domain/ca.cer;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:10086;
}
}
acme.shThan the certbotway of more automated, eliminating the need to manually step back domain DNS records change, and do not rely on Python, wall crack recommendation
After the first successful, acme.shit will record App_Key with App_Secret, and generates a timed task, 0:00 am every day automatically detect and automatically renew expired domain names. There are concerns with this approach, please be careful, but you can also delete the scheduled tasks on their own user-level, and clean out ~ / .acme.sh folder on the line
Two, docker image acquisition
If you have docker environment, it can also be used to obtain a certificate docker mirror, one line of command to
docker run --rm -it \
-v "$(pwd)/out":/acme.sh \
-e Ali_Key="xxxxxx" \
-e Ali_Secret="xxxx" \
neilpang/acme.sh --issue --dns dns_ali -d domain.cn -d *.domain.cn
After successful, the certificate will save out files in the current directory folder, you can also specify the path, modify the first line above "$(pwd)/out", you can change the path you want to save.
Detailed usage can refer to: Portal
Get down get a certificate with exactly the same way, a way to refer to other information.
Third, the certbotway to obtain a certificate[不推荐] (本人使用可行)
1. Obtaincertbot-auto
# 下载
wget https://dl.eff.org/certbot-auto
# 设为可执行权限
chmod a+x certbot-auto
2. Start the application for a certificate
# 注xxx.com请根据自己的域名自行更改
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" --manual --preferred-challenges dns-01 certonly
No more than a single domain if the plurality of address
# 注xxx.com请根据自己的域名自行更改
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" --manual --preferred-challenges dns-01 certonly
After completion of this step, it will download the dependencies needed, then wait a moment, will be prompted to enter the mailbox, just enter the mailbox will do [for] security alerts, and renewal reminders
Note that the wildcard certificate to apply for certification through the DNS, follow the prompts, go back to add the domain name corresponding DNS TXT record. After the addition, do not hurry the press Enter, the first implementation dig xxxx.xxx.com txtto confirm whether the resolution records into force, after the entry into force and then press Enter to confirm back
At this step after you're done! ! ! Certificate stored inside the /etc/letsencrypt/live/xxx.com/
To renew it, execute certbot-auto renewit
* .Xxxxx.cn xxxxx.cn primary domain and is required twice resolution records in the DNS txt inside adding different two value recording
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" -d "xxx.com" --manual --preferred-challenges dns-01 certonly
The following is an example of the application of a nginx certificate
server {
server_name xxx.com;
listen 443 http2 ssl;
ssl on;
ssl_certificate /etc/cert/xxx.cn/fullchain.pem;
ssl_certificate_key /etc/cert/xxx.cn/privkey.pem;
ssl_trusted_certificate /etc/cert/xxx.cn/chain.pem;
location / {
proxy_pass http://127.0.0.1:6666;
}
}
