[TOC]

Let’s Encrypt is a free, automated, and open certificate authority (CA) provided by the non-profit Internet Security Research Group (ISRG). In short, certificates issued with Let’s Encrypt enable HTTPS(SSL/TLS) for free for our site

  • letsencrypt.org/zh-cn/docs/

The client

Let’s Encrypt uses the ACME protocol to verify your control over a given domain name and issue you a certificate. To obtain the Let’s Encrypt certificate, you need to select an ACME client software to use. Let’s Encrypt does not control or censor third-party clients and cannot guarantee their security or reliability.

There are several ways to apply for certificates

  • Letsencrypt.org/zh-cn/docs/…

certbot

It can either just get the certificate for you or help you install the certificate if you need it. It is easy to use, works on many operating systems, and has excellent documentation.

certbot.eff.org/

acme.sh

The Let’s Encrypt free certificate client is the simplest and most intelligent shell script that can automatically publish and renew the free certificate in Let’s Encrypt

  • Github.com/acmesh-offi…

Install the acme. Sh

1. Automatic installation

The curl https://get.acme.sh | sh (network problem may fail)

2. Install it manually

git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install
Copy the code

The installation process is as follows:

  1. By default, the certificate is installed in the.acme.sh folder in the $HOME directory of the current user, that is, ~/.acme.sh/.

  2. Sh =~/.acme.sh/acme.sh. You can run the acme.sh command to quickly use the acme.sh script

  3. The scheduled cronJob task is automatically created. The system automatically checks all certificates at 00:00 every day. If the certificates are about to expire, the system automatically updates the certificates

    #All certificates are automatically checked at 0:00 every day. If the certificates are about to expire and need to be updated, the certificates are automatically updated
0 0 * * * /root/.acme.sh/acme.sh --cron --home /root/.acme.sh > /dev/null
Copy the code

3. Check whether the installation is successful

The user @ Owen - ubuntu: ~ $acme. Sh - version v2.8.8 at https://github.com/acmesh-official/acme.shCopy the code

If the version information is displayed, the environment is normal. If the command is not found, run the source ~/. Bashrc command to reload the environment configuration file.

The entire installation process does not pollute any existing system functions and files. All changes are restricted to the installation directory ~/.acme.sh/.

Use acme.sh to generate a certificate

1. The HTTP method

HTTP requires you to place a file in the root directory of your website to verify your domain name ownership. To complete the authentication, you only need to specify the domain name and the root directory of the website where the domain name resides. Acme.sh will automatically generate the authentication file and put it in the root directory of the website, and then automatically complete the authentication. This approach is more suitable for independent domain name sites, such as blog sites

. / acme. Sh -- -- issue - d - d - www.mydomain.com mydomain.com webroot/home/wwwroot/mydomain.com/ - issue is acme. Sh scripts used to issuing instructions;  -d is short for --domain, followed by the registered domain name. -w is short for --webroot and must be followed by the root directory of the website.Copy the code

Example:

./acme.sh --issue -d devopsing.site -d www.devopsing.site --webroot /var/www/html/blog/

If the certificate is successfully issued, the following output is displayed:

If the command is executed successfully, the following certificates are generated by default:

root@ecs-ubuntu18:/etc/nginx/sites-available# ls ~/.acme.sh/devopsing.site/ -l
total 28
-rw-r--r-- 1 root root 1587 Dec 16 12:34 ca.cer
-rw-r--r-- 1 root root 1866 Dec 16 12:34 devopsing.site.cer
-rw-r--r-- 1 root root  642 Dec 16 12:34 devopsing.site.conf
-rw-r--r-- 1 root root 1001 Dec 16 12:33 devopsing.site.csr
-rw-r--r-- 1 root root  232 Dec 16 12:33 devopsing.site.csr.conf
-rw-r--r-- 1 root root 1679 Dec 16 12:33 devopsing.site.key
-rw-r--r-- 1 root root 3453 Dec 16 12:34 fullchain.cer
Copy the code

If you are using an Apache /nginx server, acme.sh can also intelligently automate validation from the nginx configuration, without specifying the site root:

acme.sh --issue -d mydomain.com --apache

acme.sh --issue -d mydomain.com --nginx

2. The DNS

Suitable for generating parse certificates

Advantages: You do not need any server or public IP address, but only DNS resolution records. Disadvantages: If you do not configure Automatic DNS API, acme.sh cannot automatically update the certificate, and you need to manually re-resolve the domain name ownership

1. Generate a certificate record

  • Github.com/acmesh-offi…

Note that the first execution uses –issue, -d to specify the domain name to generate the certificate

./acme.sh --issue -d *.example.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Parameter Description:

--dns [dns_hook]    Use dns manual mode or dns api. Defaults to manual mode when argument is omitted.

--yes-I-know-dns-manual-mode-enough-go-ahead-please  Force use of dns manual mode.
See:  https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
Copy the code

2. Manually add TXT records in domain name resolution

If you add the domain name for the first time, the following information is displayed. You need to add TXT records in DNS resolution to determine whether you have the right to use the domain name

[Wed Dec 16 16:04:49 CST 2020] Add the following TXT record:
[Wed Dec 16 16:04:49 CST 2020] Domain: '_acme-challenge.devopsing.site'
[Wed Dec 16 16:04:49 CST 2020] TXT value: '-jEWdpI**************EVh01_a3ywrW426wmppjuDqXOs'
[Wed Dec 16 16:04:49 CST 2020] Please be aware that you prepend _acme-challenge. before your domain
[Wed Dec 16 16:04:49 CST 2020] so the resulting subdomain will be: _acme-challenge.devopsing.site
[Wed Dec 16 16:04:49 CST 2020] Please add the TXT records to the domains, and re-run with --renew.
[Wed Dec 16 16:04:49 CST 2020] Please add '--debug' or '--log' to check more details.
[Wed Dec 16 16:04:49 CST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Copy the code

Verify that parsing works

user@owen-ubuntu:~$nslookup -q=TXT _acme-challenge.devopsing.site Server: 127.0.0.53 Address: 127.0.0.53 # 53 Non - authoritative answer: _acme-challenge.devopsing.site text = "-jEWdpI****************1_a3ywrW426wmppjuDqXOs" Authoritative answers can be found  from:Copy the code

3. Generate the certificate again

Note that the second execution here uses –renew

./acme.sh --renew -d *.example.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

Example:

./acme.sh --issue -d *.devopsing.site --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

root@ecs-ubuntu18:/var/log/nginx# ls ~/.acme.sh/\*.devopsing.site/ -l total 28 -rw-r--r-- 1 root root 1587 Dec 16 16:09 ca.cer -rw-r--r-- 1 root root 1846 Dec 16 16:09 '*.devopsing.site.cer' -rw-r--r-- 1 root root 613 Dec 16 16:09 '*.devopsing.site.conf' -rw-r--r-- 1 root root 980 Dec 16 16:09 '*.devopsing.site.csr' -rw-r--r-- 1 root root 211 Dec 16  16:09 '*.devopsing.site.csr.conf' -rw-r--r-- 1 root root 1679 Dec 16 16:04 '*.devopsing.site.key' -rw-r--r-- 1 root root 3433 Dec 16 16:09 fullchain.cerCopy the code

4. Apply for certificates in DNS API mode (automatic update is supported)

The real power of DNS is the ability to automatically add TXT records for validation using the API provided by domain name resolvers. Acme.sh currently supports automatic integration with dozens of resolvers, including CloudFlare, DNspod, CloudXNS, GoDaddy, and OVH.

  • Github.com/acmesh-offi…
Aliyun DNS API

Obtain the AccessKey ID and AccessKey Secret of ali Cloud operation API first

Export Ali_Secret="key Secret" export Ali_Secret="key Secret"#The given API ID and API key are automatically recorded, so you do not need to run the preceding command again

acme.sh --issue --dns dns_ali -d *.example.com --force
Copy the code

Example:

export Ali_Key="LTAI4F****i8qEeKeRios2r"
export Ali_Secret="nIpymix0s****a0bJNgERE0QzjSrkF"
acme.sh --issue --dns dns_ali -d *.devopsing.site --force
Copy the code
DnsPod API
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"
acme.sh --issue  --dns dns_dp   -d *.example.com
Copy the code

View or delete certificates

View the installation certificate acme.sh –list

Acme. sh remove

user@ecs-ubuntu18:~$ acme.sh remove devopsing.site
[Thu Dec 17 14:05:53 CST 2020] devopsing.site is removed, the key and cert files are in /home/user/.acme.sh/devopsing.site
[Thu Dec 17 14:05:53 CST 2020] You can remove them by yourself.
Copy the code

Use acme.sh to install the certificate

The certificate generated above is placed in the ~/.acem.sh/

directory. Use the –installcert command to specify the destination location and copy the certificate to the corresponding location

Nginx sample

acme.sh --installcert -d <domain>.com \
--key-file /etc/nginx/ssl/<domain>.key \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd "service nginx force-reload"
Copy the code

If you want to load the configuration directly, you can use –reloadcmd “service nginx force-reload”, but since the configuration of nginx may be different, you usually choose to reload nginx manually

Note: the Nginx configuration ssl_certificate using/etc/Nginx/SSL/fullchain cer, rather than the/etc/Nginx/SSL /. The cer, Otherwise, the SSL Labs test will report an Incomplete Chain Issues error

server {
        listen 443 ssl;
        server_name demo.com;
        
        ssl on;
        ssl_certificate      /etc/nginx/ssl/fullchain.cer;
        ssl_certificate_key  /etc/nginx/ssl/<domain>.key;
Copy the code

Apache sample

./acme.sh –install-cert -d *.example.com

–cert-file /path/to/certfile/in/apache/cert.pem

–key-file /path/to/keyfile/in/apache/key.pem

–fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem

–reloadcmd “service apache2 force-reload”

Update the certificate

The current Let’s Encrypt certificate is valid for 90 days and will be updated automatically without any operation. However, renewal of certificates may also be mandatory:

acme.sh --renew -d example.com --force

Note: Manually adding DNS to obtain a certificate cannot be automatically updated. However, using DNS API to obtain a certificate can be automatically updated after the certificate expires without any operation

Run the update task acme.sh –cron -f forcibly

Update the acme. Sh

Both the ACme protocol and letsENCRYPT CA are updated frequently, so acme.sh is updated frequently to keep in sync.

Manual update: acme.sh –upgrade

Run the acme.sh –upgrade –auto-upgrade command to enable automatic upgrade

To cancel automatic upgrade, run the acme.sh –upgrade –auto-upgrade 0 command

Delete the acme. Sh

user@owen-ubuntu:~$acme.sh --uninstall [Friday, December 18, 2020 15:55:11 CST] Removing cron job [Friday, December 18, 2020 15:55:11 CST] LE_WORKING_DIR='/home/user/.acme.sh' [Friday, 18 Dec 2020 15:55:11 CST] Uninstalling alias from: '/home/user/.bashrc' [Friday, 18 December 2020 15:55:11 CST] The keys and certs are in "/home/user/.acme.sh", you can remove them by yourself.Copy the code