Acme-Tiny是采用Python编写的,一款轻量级的TLS证书加密工具。
使用
获取秘钥
openssl genrsa 4096 > account.key使用现有的秘钥
# Download the scriptwget -O - "https://gist.githubusercontent.com/JonLundy/f25c99ee0770e19dc595/raw/6035c1c8938fae85810de6aad1ecf6e2db663e26/conv.py" > conv.py# Copy your private key to your working directorycp /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/<id>/private_key.json private_key.json# Create a DER encoded private keyopenssl asn1parse -noout -out private_key.der -genconf <(python conv.py private_key.json)# Convert to PEMopenssl rsa -in private_key.der -inform der > account.key创建证书签名请求(CSR)的域名
#generate a domain private key (if you haven't already)openssl genrsa 4096 > domain.key#for a single domainopenssl req -new -sha256 -key domain.key -subj "/CN=yoursite.com" > domain.csr#for multiple domains (use this one if you want both www.yoursite.com and yoursite.com)openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[关联到网站主机
#example for nginxserver { listen 80; server_name yoursite.com www.yoursite.com; location /.well-known/acme-challenge/ { alias /var/www/challenges/; try_files $uri =404; } ...the rest of your config}获取签名证书
#run the script on your serverpython acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt安装证书
server { listen 443; server_name yoursite.com, www.yoursite.com; ssl on; ssl_certificate /path/to/chained.pem; ssl_certificate_key /path/to/domain.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; ssl_session_cache shared:SSL:50m; ssl_dhparam /path/to/server.dhparam; ssl_prefer_server_ciphers on; ...the rest of your config}server { listen 80; server_name yoursite.com, www.yoursite.com; location /.well-known/acme-challenge/ { alias /var/www/challenges/; try_files $uri =404; } ...the rest of your config}设置自动更新
#!/usr/bin/shpython /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt || exitwget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pemcat /tmp/signed.crt intermediate.pem > /path/to/chained.pemservice nginx reload
评论