Use acme.sh to automatically update https certificate on a regular basis

https.png

About let's encrypt and acme.sh

Let's Encrypt is a free, automated, and open Certificate Authority.

acme.sh implements acme protocol and can generate free certificate from let's encrypt

Installation, using acme.sh

  • Installation command
curl  https://get.acme.sh | sh
  • Generate ssl certificate

I use the webroot method. For other methods, please refer to github of acme.sh

acme.sh  --issue -d blog.lomot.cn  --webroot  /var/www/blog.lomot.cn/
  • copy certificate
acme.sh --installcert -d blog.lomot.cn --key-file /etc/nginx/ssl/blog.lomot.cn.key --fullchain-file /etc/nginx/ssl/blog.lomot.cn.cer --reloadcmd "service nginx force-reload"
  • Application certificate

Here is only the method of nginx:

For example, the website is blog.lomot.cn in / etc/nginx/nginx.conf
Add the following

    server {
        listen 80;
        server_name blog.lomot.cn;
        rewrite ^(.*)$  https://$host$1 permanent;

        #location / {
        #    proxy_set_header   X-Real-IP $remote_addr;
        #    proxy_set_header   Host      $http_host;
        #    proxy_pass         http://www.lomot.cn;
        #    proxy_set_header REMOTE-HOST $remote_addr;
        #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #}
    }

    server {
        listen 443;
        server_name blog.lomot.cn;
        #rewrite ^(.*)$  http://www.lomot.cn permanent;

        ssl on;
        ssl_certificate  /etc/nginx/ssl/blog.lomot.cn.cer;
        ssl_certificate_key /etc/nginx/ssl/blog.lomot.cn.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        location / {
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   Host      $http_host;
            proxy_pass         http://45.32.10.206;
            proxy_set_header REMOTE-HOST $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

Certificate auto update

At present, the certificate will be updated automatically after 60 days. You don't need any operation. You may shorten this time in the future, but it's automatic. You don't need to care

Update acme.sh

At present, acme and letsencrypt CA are updated frequently, so acme.sh is also updated frequently to keep synchronization

Upgrade acme.sh to the latest version:

acme.sh --upgrade
If you don't want to upgrade manually, you can turn on automatic upgrade:

acme.sh --upgrade --auto-upgrade
After that, acme.sh will automatically keep the update

You can also turn off automatic updates at any time:

acme.sh --upgrade --auto-upgrade 0

Quote

For specific tutorials, please refer to github of acme.sh
https://github.com/Neilpang/acme.sh

Tags: Nginx SSL github curl

Posted on Mon, 04 May 2020 11:54:04 -0700 by carydean