Last active
March 21, 2017 17:54
-
-
Save darcyliu/b6c794a1f7bf4eecae07 to your computer and use it in GitHub Desktop.
Issue Let's Encrypt certificates on CentOS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# host challenge files on Apache for your domain | |
<VirtualHost *:80> | |
ServerAdmin webmaster@example.com | |
DocumentRoot /var/www/example.domain | |
ServerName example.domain | |
# Add following code to your Apache VirtualHost | |
Alias "/.well-known/acme-challenge" "/var/www/challenges/" | |
<Directory "/var/www/challenges/"> | |
Header set Content-Type "application/jose+json" | |
</Directory> | |
</VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [ ! -d "letsencrypt" ]; then | |
mkdir letsencrypt | |
fi | |
cd letsencrypt | |
pwd | |
ls | |
PYVER=`python --version 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` | |
if [ $PYVER -lt 27 ] ; then | |
wget https://www.python.org/ftp/python/2.7.9/Python-2.7.9.tar.xz | |
xz -d Python-2.7.9.tar.xz | |
tar -xvf Python-2.7.9.tar | |
cd Python-2.7.9 | |
./configure --prefix=/usr/local | |
make | |
make install | |
python -V | |
cd .. | |
fi | |
if [ ! -f "intermediate.pem" ]; then | |
curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem | |
fi | |
if [ ! -d "acme-tiny" ]; then | |
git clone https://github.com/diafygi/acme-tiny | |
#cd acme-tiny/ | |
fi | |
function usage | |
{ | |
echo "usage: sh easy_letsencrypt.sh -d example.domain" | |
} | |
domain=example.domain | |
while [ "$1" != "" ]; do | |
case $1 in | |
-d ) shift | |
domain=$1 | |
;; | |
* ) usage | |
exit 1 | |
esac | |
shift | |
done | |
if [ ! -f "account.key" ]; then | |
openssl genrsa 4096 > account.key | |
fi | |
domain_key=$domain'.key' | |
if [ ! -f "$domain_key" ]; then | |
openssl genrsa 4096 > $domain_key | |
fi | |
domain_csr=$domain'.csr' | |
if [ ! -f "$domain_csr" ]; then | |
openssl req -new -sha256 -key $domain_key -subj "/CN=$domain" > $domain_csr | |
#openssl req -new -sha256 -key $domain_key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > $domain_csr | |
fi | |
if [ ! -d "/var/www/challenges/" ]; then | |
mkdir -p /var/www/challenges/ | |
fi | |
domain_crt=$domain'.crt' | |
python acme-tiny/acme_tiny.py --account-key ./account.key --csr ./$domain_csr --acme-dir /var/www/challenges/ > ./$domain_crt | |
domain_pem=$domain'.pem' | |
cat $domain_crt intermediate.pem > $domain_pem | |
SSLCertificateFile=$(pwd)'/'$domain_crt | |
SSLCertificateKeyFile=$(pwd)'/'$domain_key | |
SSLCertificateChainFile=$(pwd)'/'$domain_pem | |
domain_ssl_conf=$domain'.ssl.conf' | |
rm -rf domain_ssl_conf | |
cat << EOF > $domain_ssl_conf | |
<VirtualHost *:443> | |
DocumentRoot /var/www/$domain | |
ServerName $domain | |
# SSL Protocol support: | |
# List the enable protocol levels with which clients will be able to | |
# connect. Disable SSLv2 access by default: | |
SSLProtocol All -SSLv2 -SSLv3 | |
# SSL Cipher Suite: | |
# List the ciphers that the client is permitted to negotiate. | |
# See the mod_ssl documentation for a complete list. | |
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:!RC4 | |
SSLHonorCipherOrder on | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" | |
SSLEngine On | |
SSLCertificateFile $SSLCertificateFile | |
SSLCertificateKeyFile $SSLCertificateKeyFile | |
SSLCertificateChainFile $SSLCertificateChainFile | |
</VirtualHost> | |
EOF | |
cp -f $domain_ssl_conf '/etc/httpd/conf.d/'$domain_ssl_conf | |
service httpd restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<VirtualHost *:443> | |
DocumentRoot /var/www/example.domain | |
ServerName example.domain | |
# SSL Protocol support: | |
# List the enable protocol levels with which clients will be able to | |
# connect. Disable SSLv2 access by default: | |
SSLProtocol All -SSLv2 -SSLv3 | |
# SSL Cipher Suite: | |
# List the ciphers that the client is permitted to negotiate. | |
# See the mod_ssl documentation for a complete list. | |
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:!RC4 | |
SSLHonorCipherOrder on | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" | |
SSLEngine On | |
SSLCertificateFile /root/letsencrypt/example.domain.crt | |
SSLCertificateKeyFile /root/letsencrypt/example.domain.key | |
SSLCertificateChainFile /root/letsencrypt/example.domain.pem | |
</VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment