Use acme.sh to automatically generate a certificate from letsencrypt to install to Nginx

Install acme.sh

curl  https://get.acme.sh | sh
Copy the code

Reload.bashrc

source ~/.bashrc 
Copy the code

2. Generate a certificate

Acme. sh supports two HTTP and DNS authentication modes to verify domain name ownership. DNS authentication modes include automatic DNS authentication and manual DNS authentication. Automatic DNS authentication uses the API provided by domain name resolver to automatically add TXT records for authentication.

The following uses Aliyun supported by Acme. sh to automatically verify domain name ownership.

The first step is to log in to your ali cloud account to obtain your API key and AccessKey address of ali cloud. It is suggested to create and use a sub-account to generate AccessKey and assign the permission to manage cloud resolution (DNS) to the sub-account.

After getting the Key and Secre, go to the terminal to generate environment variables.

export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"
Copy the code

The second step is to generate a certificate. -d is followed by a domain name. You can also generate multiple domain name certificates at a time.

acme.sh --issue --dns dns_ali -d example.com -d www.example.com
Copy the code

A wildcard domain name certificate can be generated directly on demand.

acme.sh  --issue -d example.com  -d '*.example.com'  --dns dns_ali
Copy the code

After the certificate is generated, acme.sh will automatically save the API ID and API key to ~/.acme.sh/account.conf. When you use Ali Cloud API next time, you do not need to specify the AccessKey of Ali cloud.

3. Install the certificate

By default, all previous certificates will be generated in ~/.acme.sh/.

The following uses Nginx as an example to describe how to install a certificate

acme.sh --installcert -d '*.example.com' \
--key-file       /etc/nginx/cert/'*.example.com.key'  \
--fullchain-file /etc/nginx/cert/'*.example.com.pem' \
--reloadcmd     "sudo service nginx force-reload"
Copy the code

The above command will copy the certificate to /etc/nginx/cert/ and restart nginx.

All parameters specified above are automatically logged and will be automatically invoked again in the future when the certificate is automatically updated.

Sudo service nginx force-reload sudo service nginx force-reload sudo service nginx force-reload See the Red Hat NGINX Init Script for more information about adding Settings to the service.

After the certificate is installed and configured, access SSL Server Test and enter the domain name Test certificate.

4. Update the certificate

You do not need to perform any operation to update the certificate. Acme. sh automatically creates cronJob and checks all certificates at 00:00 every day. If the certificate is about to expire, the certificate is automatically updated.

The resources

• An ACME Shell script: acme.sh
• Acme. sh Usage instructions
• Use acme.sh to install the free SSL certificate provided by Let’s Encrypt for Nginx

Original addressGithub.com/liuvigongzu…