demand
The company has a very important business: creating personal websites for photographers with independent domain names.
In consideration of security, and improve the B-grid, we give personal websites on SSL means.
Since 2017, major certificate vendors have launched free DV certificates, so that the task to achieve zero cost.
However, Ali Cloud allows only 20 free SSL certificates per account, and Tencent cloud allows 50 more.
After all the wool is collected for each platform, it is still not enough, so you have to go back to Let’s Encrypt and frequently apply for certificates in SSLForFree.
The single biggest shortcoming of the certificate is that it is only valid for 90 days, which brings very tedious and repetitive work in the later stage.
How to automate this process through tools is the problem to be solved in this article.
About acme. Sh
ACME stands for The Automatic Certificate Management Environment. The ACME. Sh library can implement The following functions on Linux:
- Automatically apply for a certificate from Let’s Encrypt;
- Automatically call the API interface of each major cloud platform to achieve TXT parsing configuration;
- The certificate is automatically deployed to Nginx after being issued.
- Use timers to automatically update certificates every 60 days and complete automatic deployment.
process
Deployment environment: Ubuntu 14.06 + nginx, domain name registration and resolution is located in Aliyun
Install the acme. Sh
$ curl https://get.acme.sh | sh
Copy the code
or
$ wget -O - https://get.acme.sh | sh
Copy the code
This automatic installation process completes the following steps:
- Copy the sh script to
~/.acme.sh/
- Creating an alias
acme.sh=~/.acme.sh/acme.sh
- Start timer
Configure Ali cloud analysis
Run the following command to configure key and secret of Ali Cloud API interface, the value of which needs to be found in ali Cloud console.
$ export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
$ export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"
Copy the code
These two configurations are permanently saved in the file ~/.acme.sh/account.conf
Apply for a certificate for the domain name
Run the following command to apply for a certificate.
$ acme.sh --issue --dns dns_ali -d www.example.com
Copy the code
Certificate after the application is successful, save in ~ /. Acme.sh/www.example.com directory
Deploy certificates to nginx
Run the following command to automatically deploy the certificate to nginx.
$ acme.sh --install-cert -d www.example.com \
--key-file /path/to/keyfile/in/nginx/key.key \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "nginx -s reload"
Copy the code
Parameters of the command will automatically save in ~ /. Acme.sh/www.example.com www.example.com.conf files in the directory, realize automatic deployment timer update the certificate.
Configure nginx
In the nginx configuration file, configure the following:
server { listen 80; listen 443; server_name www.example.com; ssl on; ssl_certificate ./www.example.com.pem; ssl_certificate_key ./www.example.com.key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:20m; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:! aNULL:! MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://localhost:3000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; }}Copy the code
Call way
Deploy a small NodeJS service on the server, invoke the API interface of the service, run the corresponding script, and realize the certificate application + certificate deployment of the new domain name.
Acme. Sh can update the certificate.