Установка бесплатного сертификата Let's Encrypt



Подготовка

mkdir /root/letsencrypt /var/www/letsencrypt
cd /root/letsencrypt
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
openssl genrsa 4096 > /root/letsencrypt/account.key
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

Добавить в секцию server в настройках виртуального хоста в nginx

location /.well-known/acme-challenge/ {
    alias /var/www/letsencrypt/;
    try_files $uri =404;
}

Тестирование

echo "test" >> /var/www/letsencrypt/test.txt

И проверяем отдачу в браузере

http://specialistoff.net/.well-known/acme-challenge/test.txt

Создание закрытого ключа, запроса сертификата и создание самого сертификата

openssl genrsa 4096 > /root/letsencrypt/specialistoff.net.key

cat << EOF > /root/letsencrypt/specialistoff.net.cfg
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=RU
O=RemiZOffAlex
emailAddress=remizoffalex@gmail.com
CN = specialistoff.net

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = specialistoff.net
DNS.2 = www.specialistoff.net
EOF

openssl req -new -sha256 -key /root/letsencrypt/specialistoff.net.key \
-nodes -out /root/letsencrypt/specialistoff.net.csr \
-config /root/letsencrypt/specialistoff.net.cfg


python acme_tiny.py --account-key /root/letsencrypt/account.key \
--csr /root/letsencrypt/specialistoff.net.csr \
--acme-dir /var/www/letsencrypt/ > /root/letsencrypt/specialistoff.net.new

cat /root/letsencrypt/specialistoff.net.new \
/root/letsencrypt/lets-encrypt-x3-cross-signed.pem > /root/letsencrypt/specialistoff.net.crt

Скрипт обновления

cat << EOF > renew_cert.sh
#!/bin/bash

echo $1

python acme_tiny.py --account-key /root/letsencrypt/account.key \
--csr /root/letsencrypt/$1.csr \
--acme-dir /var/www/letsencrypt/ > /root/letsencrypt/$1.new || exit 1

cat /root/letsencrypt/$1.new \
/root/letsencrypt/lets-encrypt-x3-cross-signed.pem > /root/letsencrypt/$1.crt

service nginx reload
EOF

Использование

./renew_cert.sh specialistoff.net