hitme/lets_encrypt

## lets_encrypt
courtesy to https://foofish.net/https-free-for-lets-encrypt.html

第一步：创建 Let's Encrypt 账号
openssl genrsa 4096 > account.key
第二步：创建域名的CSR（CERTIFICATE SIGNING REQUEST）
#创建普通域名私钥
openssl genrsa 4096 > domain.key
#单个域名
openssl req -new -sha256 -key domain.key -subj "/CN=foofish.net" > domain.csr

#多个域名(如果你有多个域名，比如：www.foofish.net和foofish.net，使用这种方式)
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:foofish.net,DNS:www.foofish.net")) > domain.csr
第三步：配置域名验证
mkdir -p var/www/challenges
#配置一个 HTTP 服务
server {
    listen 80;
    server_name www.foofish.net foofish.net;

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/challenges/;
        try_files $uri =404;
    }
}
第四步：获取网站证书
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
第五步：安装证书
#Nginx追加一个Let's Encrypt的中间证书
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
server {
    listen 443;
    server_name foofish.net, www.foofish.net;

    ssl on;
    ssl_certificate /path/to/chained.pem;
    ssl_certificate_key /path/to/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_session_cache shared:SSL:50m;
    ssl_prefer_server_ciphers on;
}

第六步：定期更新
#renew_cert.sh
#!/usr/bin/sh
python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem
service nginx reload
#crontab配置
#每个月执行一次
0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log

#更新
https://awen.me/post/6147.html
	courtesy to https://foofish.net/https-free-for-lets-encrypt.html

	第一步：创建 Let's Encrypt 账号
	openssl genrsa 4096 > account.key
	第二步：创建域名的CSR（CERTIFICATE SIGNING REQUEST）
	#创建普通域名私钥
	openssl genrsa 4096 > domain.key
	#单个域名
	openssl req -new -sha256 -key domain.key -subj "/CN=foofish.net" > domain.csr

	#多个域名(如果你有多个域名，比如：www.foofish.net和foofish.net，使用这种方式)
	openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:foofish.net,DNS:www.foofish.net")) > domain.csr
	第三步：配置域名验证
	mkdir -p var/www/challenges
	#配置一个 HTTP 服务
	server {
	listen 80;
	server_name www.foofish.net foofish.net;

	location ^~ /.well-known/acme-challenge/ {
	alias /var/www/challenges/;
	try_files $uri =404;
	}
	}
	第四步：获取网站证书
	wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
	python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
	第五步：安装证书
	#Nginx追加一个Let's Encrypt的中间证书
	wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
	cat signed.crt intermediate.pem > chained.pem
	server {
	listen 443;
	server_name foofish.net, www.foofish.net;

	ssl on;
	ssl_certificate /path/to/chained.pem;
	ssl_certificate_key /path/to/domain.key;
	ssl_session_timeout 5m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
	ssl_session_cache shared:SSL:50m;
	ssl_prefer_server_ciphers on;
	}

	第六步：定期更新
	#renew_cert.sh
	#!/usr/bin/sh
	python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt \|\| exit
	wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
	cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem
	service nginx reload
	#crontab配置
	#每个月执行一次
	0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log

	#更新
	https://awen.me/post/6147.html