Free application for Let's Encrypt wildcard HTTPS certificate

Note: this tutorial is operated under centos 7. Other Linux systems are similar. Reference 1   Reference 2   Expiration renewal operation

1) The method of obtaining certificate by acme.sh is recommended for wall crack
2) Increase the method of obtaining certificate through docker image

1, How acme.sh works

1. Get acme.sh

curl https://get.acme.sh | sh

Installation succeeded as follows

Note: I have a problem with centos 7. After installation, execute acme.sh, and the command is not found. If I have the same problem, please shut down the terminal and log in again, or execute the following command:

source ~/.bashrc

2. Start obtaining certificate

The power of acme.sh is that it can automatically configure DNS without going to the domain name background to resolve records. My domain name is registered in Alibaba. Here is an example of Alibaba cloud resolution. For registration in other places, please refer to here for self modification: Portal

Please go to Alibaba cloud background to obtain app key and app secret Portal , and execute the following script

# Replace with the key obtained from Alibaba cloud background
export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"
# Change to your own domain name
acme.sh --issue --dns dns_ali -d zhuziyu.cn -d *.zhuziyu.cn

This is the way to wait for DNS to take effect by thread dormancy for 120 seconds, so it needs to wait at least two minutes

At this point, it's done. Scatter flowers

The generated certificate is placed in this directory: ~ / acme.sh/domain/

Here is an example of Nginx applying the certificate:

# Domain is replaced by its own domain name
server {
    server_name xx.domain.com;
    listen 443 http2 ssl;
    ssl_certificate /path/.acme.sh/domain/fullchain.cer;
    ssl_certificate_key /path/.acme.sh/domain/domain.key;
    ssl_trusted_certificate  /path/.acme.sh/domain/ca.cer;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:10086;
    }
}

acme.sh is more automatic than certbot, which saves the steps of manually changing DNS records in the background of domain name, and does not rely on Python, wall crack recommendation

After the first success, acme.sh will record the app key and app secret, and generate a scheduled task to automatically detect and renew the expired domain name at 0:00 a.m. every day. If you have any concerns about this method, please be careful, but you can also delete user level scheduled tasks and clear the ~ /. Acme.sh folder

2, docker image acquisition

If the docker environment is installed, you can also use the docker image to obtain the certificate. You only need one line of command

docker run --rm  -it  \
  -v "$(pwd)/out":/acme.sh  \
  -e Ali_Key="xxxxxx" \
  -e Ali_Secret="xxxx" \
  neilpang/acme.sh  --issue --dns dns_ali -d domain.cn -d *.domain.cn

After success, the certificate will be saved in the out folder of the current directory. You can also specify a path. Modify the first line "$(pwd)/out" to the path you want to save.

For detailed usage, please refer to: Portal

The certificate obtained is as like as two peas. The other information is referred to in mode 1.

3, certbot method to obtain certificate [not recommended] (I can use it)

1. Get certbot Auto

# download
wget https://dl.eff.org/certbot-auto

# Make executable
chmod a+x certbot-auto

2. Start applying for certificate

# Note xxx.com please change according to your domain name
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" --manual --preferred-challenges dns-01 certonly

There is no single domain name address above. If there are more than one

# Note xxx.com please change according to your domain name
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" --manual --preferred-challenges dns-01 certonly

After this step is completed, some required dependencies will be downloaded. After a while, you will be prompted to enter the email, which can be used for security reminders and renewal reminders

Note that the application for wildcard certificate is subject to DNS authentication. Follow the prompts and go to the domain name background to add the corresponding DNS TXT record. After adding, do not rush to press enter, first execute dig xxxx.xxx.com txt to confirm whether the resolution record is effective, and then press enter to confirm

To this step, the success!!! The certificate is stored in / etc/letsencrypt/live/xxx.com /

To renew, execute certbot auto renew

When the primary domain name xxxxx.cn and *. Xxxxx.cn resolve records twice, you need to add two different value s to the DNS txt

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" -d "xxx.com" --manual --preferred-challenges dns-01 certonly

Here is an example of nginx applying the certificate

server {
    server_name xxx.com;
    listen 443 http2 ssl;
    ssl on;
    ssl_certificate /etc/cert/xxx.cn/fullchain.pem;
    ssl_certificate_key /etc/cert/xxx.cn/privkey.pem;
    ssl_trusted_certificate  /etc/cert/xxx.cn/chain.pem;

    location / {
      proxy_pass http://127.0.0.1:6666;
    }
}
Published 45 original articles, won praise 3, visited 20000+
Private letter follow

Tags: DNS Docker SSL CentOS

Posted on Thu, 12 Mar 2020 01:24:20 -0400 by artisticre