acme-tiny在CentOS、Apache下自动更新https证书

# yum install mod_ssl openssl

# mkdir /home/crt/

# cd /home/crt/

复制

http://github.com/diafygi/acme-tiny

acme_tiny.py

到/home/crt/

yoursite—>站点名称

# mkdir yoursite/www/

# cd yoursite

//创建Let’s Encrypt私钥

# openssl genrsa 4096 > account.key

# openssl genrsa 4096 > domain.key

#单域名CSR用如下命令

#openssl req -new -sha256 -key domain.key -subj “/CN=yoursite.com” > domain.csr



#多域名CSR用如下命令（一般都至少要为根域和WWW申请证书吧）

接下来需要使用openssl.cnf文件，先查找自己该文件的位置

#locate openssl.cnf

CentOS下的文件位置在/etc/pki/tls/openssl.cnf

#

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]
subjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr

#

设置该目录下面 www 文件夹权限为777

chmod -R 777 www

修改http.conf，红色为修改部分

<VirtualHost *:80>
DocumentRoot "/var/www/yoursite"
ServerName www.yoursite.com
ServerAlias yoursite.com
<Directory "/var/www/yoursite">
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
Alias /.well-known/acme-challenge "/home/crt/yoursite/www"
<Directory "/home/crt/yoursite/www">
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>

#systemctl restart httpd.service

# cd /home/crt/

vi renew_cert.sh

==========红字为sh内容

function getCrt()
{
BASURL=/home/crt/
python ${BASURL}/acme_tiny.py --account-key ${BASURL}${1}/account.key --csr ${BASURL}${1}/domain.csr --acme-dir ${BASURL}${1}/www/ > ${BASURL}${1}/signed.crt || exit
wget -O - http://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > ${BASURL}${1}/intermediate.pem
cat ${BASURL}${1}/signed.crt ${BASURL}${1}/intermediate.pem > ${BASURL}${1}/chained.pem

}
getCrt yoursite

sudo systemctl restart httpd.service

#chmod +x renew_cert.sh

#sh renew_cert.sh

自动生成证书

删除 ssl.conf

中…所有内容

修改http.conf，增加红字部分

NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "/var/www/yoursite"
ServerName www.yoursite.com
ServerAlias yoursite.com
SSLEngine on
SSLHonorCipherOrder on

# 禁止SSLv2 SSLv3协议
SSLProtocol all -SSLv2 -SSLv3

#禁止RC4，禁止SF
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

SSLCertificateFile /home/crt/yoursite/signed.crt
SSLCertificateKeyFile /home/crt/yoursite/domain.key
SSLCertificateChainFile /home/crt/yoursite/chained.pem
<Directory "/var/www/yoursite">
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>

#systemctl restart httpd.service

访问 http://www.yoursite.com

可以在项目目录下创建.htaccess 来强制http 访问到http访问

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

添加到定时任务中

crontab -e

//添加任务
0 0 1 * * /usr/bin/bash /home/crt/renew_cert.sh

sudo systemctl restart crond.service