Ubuntu14 安装 Let’s Encrypt

一台老服务器,部署了一些服务没办法升级,安装证书又是一顿搜索,记录下来便于查找。

环境

root@server:~# lsb_release -a
###
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.6 LTS
Release:	14.04
Codename:	trusty

root@server:~# apache2 -v
Server version: Apache/2.4.33 (Ubuntu)
Server built:   2018-03-27T00:00:00

安装 acme.sh

root# git clone https://gitee.com/neilpang/acme.sh.git
root# cd acme.sh
root# ./acme.sh --install -m a@a.com

查看版本

root# acme.sh -v
https://github.com/acmesh-official/acme.sh
v3.0.5

注册

切换 Let’s Encrypt

root# acme.sh --set-default-ca --server letsencrypt

[Mon Apr 22 23:12:29 CST 2024] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

阿里云

添加账号, 分配 DNS权限

获取 AccessKey ID和 AccessKey Secret

AccessKey ID:LTAI5tRo8******pqQ76AU5

AccessKey Secret:e3IyFZA********tmmS4yePvxu

生成证书

设置环境变量

root# export Ali_Key="LTAI5tRo8******pqQ76AU5" && export Ali_Secret="e3IyFZA********tmmS4yePvxu"

生成

acme.sh --issue --dns dns_ali -d a.com -d *.a.com 

检查域名

acme.sh --info -d a.com -d *.a.com
[Tue Apr 23 10:10:26 CST 2024] The domain 'a.com' seems to have a ECC cert already, lets use ecc cert.
DOMAIN_CONF=/root/.acme.sh/a.com_ecc/a.com.conf
Le_Domain=a.com
Le_Alt=*.a.com
Le_Webroot=dns_ali
Le_PreHook=
Le_PostHook=
Le_RenewHook=
Le_API=https://acme-v02.api.letsencrypt.org/directory
Le_Keylength=ec-256
Le_OrderFinalize=https://acme-v02.api.letsencrypt.org/acme/finalize/1687079077/******337
Le_RealCertPath=/usr/local/ssl/acme/a.com/cert.pem
Le_RealCACertPath=
Le_RealKeyPath=/usr/local/ssl/acme/a.com/key.pem
Le_ReloadCmd=sudo service apache2 force-reload
Le_RealFullChainPath=/usr/local/ssl/acme/a.com/fullchain.pem
Le_LinkOrder=https://acme-v02.api.letsencrypt.org/acme/order/1687079077/******337
Le_LinkCert=https://acme-v02.api.letsencrypt.org/acme/cert/04fe******803845c24aed2c3dc
Le_CertCreateTime=1713837357
Le_CertCreateTimeStr=2024-04-23T01:55:57Z
Le_NextRenewTimeStr=2024-06-21T01:55:57Z
Le_NextRenewTime=1718934957

安装证书

acme.sh --install-cert -d a.com -d *.a.com \
--cert-file      /usr/local/ssl/acme/a.com/cert.pem  \
--key-file       /usr/local/ssl/acme/a.com/key.pem  \
--fullchain-file /usr/local/ssl/acme/a.com/fullchain.pem \
--reloadcmd     "sudo service apache2 force-reload"

配置 Apache

在配置文件中设置证书文件

// site-enabled/a.com.conf
SSLCertificateFile /usr/local/ssl/acme/a.com/cert.pem
SSLCertificateKeyFile /usr/local/ssl/acme/a.com/key.pem
SSLCertificateChainFile /usr/local/ssl/acme/a.com/fullchain.pem

自动更新证书

56 * * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

参考文章:

Install in China · acmesh-official/acme.sh Wiki · GitHub
acme.sh 使用文档 | CertCloud
创建阿里云AccessKey_访问控制(RAM)-阿里云帮助中心 (aliyun.com)

发表评论