📅 2021-3-08 / 🏸 Zimiao Technology / 📌 Location: home page » Zimiao Technology »
Nginx automatically applies for/renews SSL certificates in combination with acme.sh (let's encrypt)

A server needs an SSL certificate for WS and TLS encryption, so it installs a Nginx, which combines acme.sh to automatically update the SSL certificate.

preparation

The operating system used in this article is Ubuntu.

1. Install acme.sh

First connect to the server through ssh, and then install acme.sh through the following command:

 curl   https://get.acme.sh  | sh

When finished, enter acme.sh , if the help menu appears, the installation is normal.

If you enter acme.sh If the command does not exist, set the alias manually:

 alias acme.sh=~/.acme.sh/acme.sh

2. Install Nginx

Then install Nginx through the following command:

 sudo apt install nginx

Use the following command to stop Nginx running:

 sudo service nginx stop

Apply for certificate

When acme.sh applies for let's encrypt certificate, it supports two verification methods, one is through webpage file verification, the other is through DNS txt parsing verification.

The former is more convenient, while the latter needs to provide the dns platform api authorization key, which is not convenient to use.

Prepare a domain name and point the domain name resolution to the server.

1. Only apply for and automatically update the certificate, not as a web service

If you just want to generate an SSL certificate and do not use it for other software such as Nginx, you can directly generate and automatically update it through acme.sh:

 acme.sh  --issue -d azimiao.com   --standalone

This command will enable a temporary port 80 listening and place the corresponding web page verification file. After the application is completed, the listening will be automatically canceled.

The default storage path of the generated certificate is:

 ~/.acme.sh/azimiao.com/file

These paths may change depending on the acme.sh version.

2. Apply for and automatically update ssl certificates for Nginx configuration

First, start a simple Nginx server listening:

 server { listen  80; server_name  azimiao.com; root   /somedir/somedir2; index  index.html index.htm; access_log /dev/somdir; error_log  /var/log/nginx/somdir  warn; error_page   500 502 503 504  /50x.html; location = /50x.html { root   /usr/share/nginx/html; } location ~ /\.ht { deny  all; } location / { index index.html; } }

Automatically read nginx configuration and generate certificate through acme.sh:

 acme.sh --issue  -d azimiao.com  --nginx #Read only one configuration file: # acme.sh  --issue  -d example.com  --nginx /etc/nginx/conf.d/example.com.conf

Copy the certificate to the specified folder by the following command:

 acme.sh --install-cert -d azimiao.com \ --key-file       /path/to/keyfile/in/nginx/azimiao.com.key  \ --fullchain-file /path/to/fullchain/nginx/azimiao.com.cert \ --reloadcmd     "service nginx force-reload"

Confirm that the ssl certificate and key path in the nginx configuration file are the same as the above installation location:

 server { listen       443 ssl http2; server_name  azimiao.com; root   /somedir/somedir2; index  index.html index.htm; access_log /dev/somdir; error_log  /var/log/nginx/somdir  warn; ssl_certificate  /path/to/fullchain/nginx/azimiao.com.cert; ssl_certificate_key  /path/to/keyfile/in/nginx/azimiao.com.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA ! aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; add_header Strict-Transport-Security max-age=31536000; # redirect server error pages to the static page /50x.html # error_page   500 502 503 504  /50x.html; location = /50x.html { root   /usr/share/nginx/html; } location / { index index.html; } }

Restart or reload Nginx configuration:

 #Restart sudo service nginx restart #Overload configuration # sudo service nginx force-reload

After that, whenever the certificate expires, acme.sh will automatically request a certificate and move the certificate to the location specified during installation.

verification

List all the scheduled tasks of the current user through the following command:

 crontab -l

The following output indicates that the acme.sh scheduled task is added normally:

 4 0 * * * "/home/username/.acme.sh"/acme.sh --cron --home "/home/username/.acme.sh" > /dev/null

Stop automatic renewal

If you want to stop automatically renewing a domain name, use the following command:

 #List the domain names that will automatically update the certificate: acme.sh --list #Remove the corresponding domain name: acme.sh --remove -d azimiao.com

If you want to stop the execution of acme.sh, use the following command to edit the scheduled task:

 crontab -e

Delete the automatic execution of acme.sh.

Zimiao haunting blog (azimiao. com) All rights reserved. Please note the link when reprinting: https://www.azimiao.com/7709.html
Welcome to the Zimiao haunting blog exchange group: three hundred and thirteen million seven hundred and thirty-two thousand

Comment

*

*

Support MarkDown syntax
cancel

Comment area

  1. 0F
    WeiCN 03-08 14:55 reply

    Learning~