Shulou(Shulou.com)06/03 Report--

Taking demo.example.com as an example, this paper introduces in detail the method of ssl application and automatic contract renewal using acme.sh.

Installation

You only need to execute with any user

Curl https://get.acme.sh | sh

Acme.sh will be installed in the ~ / .acme.sh / directory and a new automatic schedule (cronjob) will be created to check all certificates at 0: 00 a.m.

There are three main ways to generate certificates, which are suitable for temporarily listening to port 80 when an apache or nginx server has been deployed, and for manually configuring DNS for servers that do not have deployed services. You need the permission to configure DNS manually, and it is suitable for situations where you do not have a server or do not want to change the server. Document authentication acme.sh-- issue-d-- webroot acme.sh-- issue-d demo.example.com-- webroot / home/wwwroot/demo.example.com/2. Temporarily listen to port 80 yum install socatacme.sh-issue-d demo.example.com-standalone3. DNS mode manual mode

First of all, obtain the analytical records required for authentication.

Acme.sh-issue-dns-d demo.example.com

Then add a record to the DNS service provider

Finally, regenerate the certificate.

Acme.sh-- renew-d demo.example.com

In this way, acme.sh will not be able to update the certificate automatically and will need to manually re-parse and verify the ownership of the domain name each time.

Automatic mode

The real power of the dns approach is that you can use the api provided by the domain name parser to automatically add txt records to complete verification.

First, you need to apply for an account password with DNS configuration permission on the cloud.

Tencent Cloud

Reference:

Operation method

Apply on dnspod official's website

Https://www.dnspod.cn/Login?r=/console

Then log in to the remote server

Export DP_Id= "1234" export DP_Key= "sADDsdasdgdsf" acme.sh-- issue-- dns dns_dp-d demo.example.com Ali Cloud

Reference:

Operation method

Log in to Aliyun's official website and add a sub-account https://ram.console.aliyun.com/overview with DNS configuration permission.

Then log in to the remote server

Installation of export Ali_Key= "AccessKeyId" export Ali_Secret= "AccessKeySecret" acme.sh-- issue-- dns dns_ali-d demo.example.com certificate

All the certificates generated by default are placed in the installation directory: ~ / .acme.sh/

You need to "copy" the certificate to a custom location to facilitate configuration. The replication here needs to be automatically updated later with acme.sh 's own tools.

Acme.sh-- installcert-d demo.example.com\-- key-file / usr/local/nginx/ssl/demo_example_com.key\-- fullchain-file / usr/local/nginx/ssl/demo_example_com.cer\-- reloadcmd "/ usr/local/nginx/sbin/nginx-s reload" apache server configuration

None for the time being

Configuration of nginx server

Nginx settings are similar to the following

Server {listen 443 ssl; ssl on; ssl_certificate / usr/local/nginx/ssl/demo_example_com.cer; # here points to the location where the certificate is installed ssl_certificate_key / usr/local/nginx/ssl/demo_example_com.key;} to make your SSL more secure

Reference: https://mikemiao111.com/nginx%E5%A2%9E%E5%BC%BAhttps%E5%AE%89%E5%85%A8%E9%85%8D%E7%BD%AE/

Nginx uses 1024-bit encryption algorithm by default, and can use 2048-bit instead if necessary, which makes the encryption more secure.

First generate the zjk_zoollcar_top.pem file to the specified directory

Openssl dhparam-out / usr/local/nginx/ssl/demo_example_com.pem 2048

Then set it in the nginx configuration file

Server {listen 443 ssl; ssl on; ssl_certificate / usr/local/nginx/ssl/demo_example_com.cer; ssl_certificate_key / usr/local/nginx/ssl/demo_example_com.key; ssl_dhparam / usr/local/nginx/ssl/demo_example_com.pem; # add}

You can use the following website to test SSL security

Https://www.ssllabs.com/ssltest/

Update acme.sh

At present, because both acme and letsencrypt CA are updated frequently, acme.sh is also updated frequently to keep synchronized.

Upgrade acme.sh to the latest version:

Acme.sh-upgrade

If you do not want to upgrade manually, you can turn on automatic upgrade:

Acme.sh-upgrade-auto-upgrade

After that, acme.sh will automatically keep updated.

You can also turn off automatic updates at any time:

Acme.sh-upgrade-auto-upgrade 0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.