mkdir /root/letsencrypt /var/www/letsencrypt cd /root/letsencrypt wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py openssl genrsa 4096 > /root/letsencrypt/account.key wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem wget -O trustid-x3-root.pem https://letsencrypt.org/certs/trustid-x3-root.pem.txt
Добавить в секцию server в настройках виртуального хоста в nginx
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
try_files $uri =404;
}
Перезапустить nginx
systemctl restart nginx
echo "test" >> /var/www/letsencrypt/test.txt
И проверяем отдачу в браузере http://{{ domain }}/.well-known/acme-challenge/test.txt
openssl genrsa 4096 > /root/letsencrypt/{{ domain }}.key
cat << EOF > /root/letsencrypt/{{ domain }}.cfg
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C={{ country }}
O={{ organization }}
emailAddress={{ email }}
CN={{ domain }}
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = {{ domain }}
DNS.2 = www.{{ domain }}
EOF
openssl req -new -sha256 -key /root/letsencrypt/{{ domain }}.key \
-nodes -out /root/letsencrypt/{{ domain }}.csr \
-config /root/letsencrypt/{{ domain }}.cfg
python acme_tiny.py --account-key /root/letsencrypt/account.key \
--csr /root/letsencrypt/{{ domain }}.csr \
--acme-dir /var/www/letsencrypt/ > /root/letsencrypt/{{ domain }}.new
cat /root/letsencrypt/{{ domain }}.new \
/root/letsencrypt/trustid-x3-root.pem > /root/letsencrypt/{{ domain }}.crt
cat << EOF > renew_cert.sh
#!/bin/bash
python acme_tiny.py --account-key /root/letsencrypt/account.key \
--csr /root/letsencrypt/{{ domain }}.csr \
--acme-dir /var/www/letsencrypt/ > /root/letsencrypt/{{ domain }}.new || exit
cat /root/letsencrypt/{{ domain }}.new \
/root/letsencrypt/trustid-x3-root.pem > /root/letsencrypt/{{ domain }}.crt
service nginx reload
EOF