mkdir /root/letsencrypt /var/www/letsencrypt cd /root/letsencrypt wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py openssl genrsa 4096 > /root/letsencrypt/account.key wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem wget -O trustid-x3-root.pem https://letsencrypt.org/certs/trustid-x3-root.pem.txt
Добавить в секцию server в настройках виртуального хоста в nginx
location /.well-known/acme-challenge/ { alias /var/www/letsencrypt/; try_files $uri =404; }
Перезапустить nginx
systemctl restart nginx
echo "test" >> /var/www/letsencrypt/test.txt
И проверяем отдачу в браузере http://{{ domain }}/.well-known/acme-challenge/test.txt
openssl genrsa 4096 > /root/letsencrypt/{{ domain }}.key cat << EOF > /root/letsencrypt/{{ domain }}.cfg [req] default_bits = 4096 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C={{ country }} O={{ organization }} emailAddress={{ email }} CN={{ domain }} [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = {{ domain }} DNS.2 = www.{{ domain }} EOF openssl req -new -sha256 -key /root/letsencrypt/{{ domain }}.key \ -nodes -out /root/letsencrypt/{{ domain }}.csr \ -config /root/letsencrypt/{{ domain }}.cfg python acme_tiny.py --account-key /root/letsencrypt/account.key \ --csr /root/letsencrypt/{{ domain }}.csr \ --acme-dir /var/www/letsencrypt/ > /root/letsencrypt/{{ domain }}.new cat /root/letsencrypt/{{ domain }}.new \ /root/letsencrypt/trustid-x3-root.pem > /root/letsencrypt/{{ domain }}.crt
cat << EOF > renew_cert.sh #!/bin/bash python acme_tiny.py --account-key /root/letsencrypt/account.key \ --csr /root/letsencrypt/{{ domain }}.csr \ --acme-dir /var/www/letsencrypt/ > /root/letsencrypt/{{ domain }}.new || exit cat /root/letsencrypt/{{ domain }}.new \ /root/letsencrypt/trustid-x3-root.pem > /root/letsencrypt/{{ domain }}.crt service nginx reload EOF