hitme · October 11, 2018 07:38
diff --git a/lets_encrypt b/lets_encrypt
 courtesy to https://foofish.net/https-free-for-lets-encrypt.html

 第一步：创建 Let's Encrypt 账号
 openssl genrsa 4096 > account.key
 第二步：创建域名的CSR（CERTIFICATE SIGNING REQUEST）
 #创建普通域名私钥
 openssl genrsa 4096 > domain.key
 #单个域名
 openssl req -new -sha256 -key domain.key -subj "/CN=foofish.net" > domain.csr

 #多个域名(如果你有多个域名，比如：www.foofish.net和foofish.net，使用这种方式)
 openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:foofish.net,DNS:www.foofish.net")) > domain.csr
 第三步：配置域名验证
 mkdir -p var/www/challenges
 #配置一个 HTTP 服务
 server {
    listen 80;
    server_name www.foofish.net foofish.net;

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/challenges/;
        try_files $uri =404;
    }
 }
 第四步：获取网站证书
 wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
 python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
 第五步：安装证书
 #Nginx追加一个Let's Encrypt的中间证书
 wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
 cat signed.crt intermediate.pem > chained.pem
 server {
    listen 443;
    server_name foofish.net, www.foofish.net;

    ssl on;
    ssl_certificate /path/to/chained.pem;
    ssl_certificate_key /path/to/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_session_cache shared:SSL:50m;
    ssl_prefer_server_ciphers on;
 }

 第六步：定期更新
 #renew_cert.sh
 #!/usr/bin/sh
 python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt || exit
 wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
 cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem
 service nginx reload
 #crontab配置
 #每个月执行一次
 0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log

 #更新
 https://awen.me/post/6147.html
	courtesy to https://foofish.net/https-free-for-lets-encrypt.html

	第一步：创建 Let's Encrypt 账号
	openssl genrsa 4096 > account.key
	第二步：创建域名的CSR（CERTIFICATE SIGNING REQUEST）
	#创建普通域名私钥
	openssl genrsa 4096 > domain.key
	#单个域名
	openssl req -new -sha256 -key domain.key -subj "/CN=foofish.net" > domain.csr

	#多个域名(如果你有多个域名，比如：www.foofish.net和foofish.net，使用这种方式)
	openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:foofish.net,DNS:www.foofish.net")) > domain.csr
	第三步：配置域名验证
	mkdir -p var/www/challenges
	#配置一个 HTTP 服务
	server {
	listen 80;
	server_name www.foofish.net foofish.net;

	location ^~ /.well-known/acme-challenge/ {
	alias /var/www/challenges/;
	try_files $uri =404;
	}
	}
	第四步：获取网站证书
	wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
	python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
	第五步：安装证书
	#Nginx追加一个Let's Encrypt的中间证书
	wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
	cat signed.crt intermediate.pem > chained.pem
	server {
	listen 443;
	server_name foofish.net, www.foofish.net;

	ssl on;
	ssl_certificate /path/to/chained.pem;
	ssl_certificate_key /path/to/domain.key;
	ssl_session_timeout 5m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
	ssl_session_cache shared:SSL:50m;
	ssl_prefer_server_ciphers on;
	}

	第六步：定期更新
	#renew_cert.sh
	#!/usr/bin/sh
	python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ > /tmp/signed.crt \|\| exit
	wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
	cat /tmp/signed.crt intermediate.pem > /path/to/chained.pem
	service nginx reload
	#crontab配置
	#每个月执行一次
	0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log

	#更新
	https://awen.me/post/6147.html