Установка бесплатного сертификата Let's Encrypt


Подготовка

mkdir /root/letsencrypt /var/www/letsencrypt
cd /root/letsencrypt
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
openssl genrsa 4096 > /root/letsencrypt/account.key
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

Добавить в секцию server в настройках виртуального хоста в nginx

location /.well-known/acme-challenge/ {
    alias /var/www/letsencrypt/;
    try_files $uri =404;
}

Тестирование

echo "test" >> /var/www/letsencrypt/test.txt

И проверяем отдачу в браузере http://{{ domain }}/.well-known/acme-challenge/test.txt

Создание закрытого ключа, запроса сертификата и создание самого сертификата

openssl genrsa 4096 > /root/letsencrypt/{{ domain }}.key

cat << EOF > /root/letsencrypt/{{ domain }}.cfg
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C={{ country }}
O={{ organization }}
emailAddress={{ email }}
CN={{ domain }}

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = {{ domain }}
DNS.2 = www.{{ domain }}
EOF

openssl req -new -sha256 -key /root/letsencrypt/{{ domain }}.key \
-nodes -out /root/letsencrypt/{{ domain }}.csr \
-config /root/letsencrypt/{{ domain }}.cfg


python acme_tiny.py --account-key /root/letsencrypt/account.key \
--csr /root/letsencrypt/{{ domain }}.csr \
--acme-dir /var/www/letsencrypt/ > /root/letsencrypt/{{ domain }}.new

cat /root/letsencrypt/{{ domain }}.new \
/root/letsencrypt/lets-encrypt-x3-cross-signed.pem > /root/letsencrypt/{{ domain }}.crt

Скрипт обновления

cat << EOF > renew_cert.sh
#!/bin/bash
python acme_tiny.py --account-key /root/letsencrypt/account.key \
--csr /root/letsencrypt/{{ domain }}.csr \
--acme-dir /var/www/letsencrypt/ > /root/letsencrypt/{{ domain }}.new || exit
cat /root/letsencrypt/{{ domain }}.new \
/root/letsencrypt/lets-encrypt-x3-cross-signed.pem > /root/letsencrypt/{{ domain }}.crt
service nginx reload
EOF