demand

The company has a very important business: creating personal websites for photographers with independent domain names.

In consideration of security, and improve the B-grid, we give personal websites on SSL means.

Since 2017, major certificate vendors have launched free DV certificates, so that the task to achieve zero cost.

However, Ali Cloud allows only 20 free SSL certificates per account, and Tencent cloud allows 50 more.

After all the wool is collected for each platform, it is still not enough, so you have to go back to Let’s Encrypt and frequently apply for certificates in SSLForFree.

The single biggest shortcoming of the certificate is that it is only valid for 90 days, which brings very tedious and repetitive work in the later stage.

How to automate this process through tools is the problem to be solved in this article.

About acme. Sh

ACME stands for The Automatic Certificate Management Environment. The ACME. Sh library can implement The following functions on Linux:

  1. Automatically apply for a certificate from Let’s Encrypt;
  2. Automatically call the API interface of each major cloud platform to achieve TXT parsing configuration;
  3. The certificate is automatically deployed to Nginx after being issued.
  4. Use timers to automatically update certificates every 60 days and complete automatic deployment.

process

Deployment environment: Ubuntu 14.06 + nginx, domain name registration and resolution is located in Aliyun

Install the acme. Sh

$ curl https://get.acme.sh | sh
Copy the code

or

$ wget -O -  https://get.acme.sh | sh
Copy the code

This automatic installation process completes the following steps:

  1. Copy the sh script to~/.acme.sh/
  2. Creating an aliasacme.sh=~/.acme.sh/acme.sh
  3. Start timer

Configure Ali cloud analysis

Run the following command to configure key and secret of Ali Cloud API interface, the value of which needs to be found in ali Cloud console.

$ export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
$ export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"
Copy the code

These two configurations are permanently saved in the file ~/.acme.sh/account.conf

Apply for a certificate for the domain name

Run the following command to apply for a certificate.

$ acme.sh --issue --dns dns_ali -d www.example.com
Copy the code

Certificate after the application is successful, save in ~ /. Acme.sh/www.example.com directory

Deploy certificates to nginx

Run the following command to automatically deploy the certificate to nginx.

$ acme.sh --install-cert -d www.example.com \
  --key-file       /path/to/keyfile/in/nginx/key.key  \
  --fullchain-file /path/to/fullchain/nginx/cert.pem \
  --reloadcmd     "nginx -s reload"
Copy the code

Parameters of the command will automatically save in ~ /. Acme.sh/www.example.com www.example.com.conf files in the directory, realize automatic deployment timer update the certificate.

Configure nginx

In the nginx configuration file, configure the following:

server { listen 80; listen 443; server_name www.example.com; ssl on; ssl_certificate ./www.example.com.pem; ssl_certificate_key ./www.example.com.key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:20m; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:! aNULL:! MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://localhost:3000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; }}Copy the code

Call way

Deploy a small NodeJS service on the server, invoke the API interface of the service, run the corresponding script, and realize the certificate application + certificate deployment of the new domain name.

Acme. Sh can update the certificate.