推荐使用这个脚本,具体说明里面都有
https://github.com/xdtianyu/scripts/tree/master/le-dns
- 先弄个文件夹放东西
mkdir /usr/local/openssl - 生成账户和网站的key
openssl genrsa 4096 > account.key
openssl genrsa 4096 > zhiyi.key - 生成证书
openssl req -new -sha256 -key zhiyi.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:snsproject.com,DNS:www.snsproject.com")) > zhiyi.csr
如果说找不到openssl.cnf,先全局搜下这个文件在哪里,如果搜不到就装一个openssl - 下载一个python的小工具
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py - 运行之,生成验证的签名crt文件
python ./acme_tiny.py --account-key ./account.key --csr ./zhiyi.csr --acme-dir ./www/acme-challenge/ > ./signed.crt
注意,它会生成一个文件,然后通过http://yoursite.com/.well-known/acme-challenge/+文件名获取这个文件进行验证,所以一定要确保这个文件通过刚才的url能访问到
6. 得到签名后,生成网站证书
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
7. 部署篇请见之前写的
8. 由于证书90天有效,需要自动刷新证书脚本
vi autorefresh.sh
#!/bin/bash
cd /usr/local/openssl/
python ./acme_tiny.py --account-key ./account.key --csr ./zhiyi.csr --acme-dir ./www/acme-challenge/ > ./signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
service httpd restart
vi /etc/crontab
在最后加上一行
0 0 4 * * root /usr/local/openssl/autorefresh.sh >/dev/null 2>&1
9. 设置重定向https
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule (.*) https://%{SERVER_NAME}/$1 [L,R]