网站的Let’s encrypt证书快到期了,看了官方的续期方法比较繁琐,于是在网上找了找简单方便做法,结果找到了墓地小企鹅写的一个脚本(shell script),使用这个脚本可以方便的生成以及更新Let’s encrypt 证书。
脚本地址 https://github.com/xdtianyu/scripts/tree/master/lets-encrypt
下载脚本
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh
配置
root@rnse:~/lesh# cat letsencrypt.conf
# only modify the values, key files will be generated automaticly.
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="alair.key"
DOMAIN_DIR="/data/wwwroot/alair.cn/compiled"
DOMAINS="DNS:alair.cn,DNS:www.alair.cn"
#ECC=TRUE
#LIGHTTPD=TRUE
按照需要自定义DOMAIN_KEY
、DOMAIN_DIR
、DOMAINS
三部分。
生成证书
root@rnse:~/lesh#chmod +x letsencrypt.sh
root@rnse:~/lesh# ./letsencrypt.sh letsencrypt.conf
Generate account key...
Generating RSA private key, 4096 bit long modulus
..............................++
....++
e is 65537 (0x10001)
Generate domain key...
Generating RSA private key, 2048 bit long modulus
...............................................................+++
..........................+++
e is 65537 (0x10001)
Generate CSR...alair.csr
Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying www.alair.cn...
www.alair.cn verified!
Verifying alair.cn...
alair.cn verified!
Signing certificate...
Certificate signed!
New cert: alair.chained.crt has been generated
生成后的目录文件如下:
root@rnse:~/lesh# ls
alair.chained.crt alair.crt alair.csr alair.key lets-encrypt-x3-cross-signed.pem letsencrypt-account.key letsencrypt.conf letsencrypt.sh
配置nginx
... ...
ssl_certificate /path/to/cert/alair.chained.crt;
ssl_certificate_key /path/to/cert/alair.key;
... ...
更新证书
证书到期前直接再次生成而已