需要预先将需要申请ssl的域名指向到服务器,此方法完全通过api实现,好处是绿色无污染,不需要注册账号,不会泄露私人信息
环境为 debian7+apacheapt-get install apache2a2enmod rewritea2enmod sslapt-get install php5 php-pearvi /etc/apache2/sites-enabled/000-default---------------------------000-default------------------------Alias /.well-known/acme-challenge/ /var/www/challenges/--------------------------------------------------------------mkdir /var/www/challengesmkdir /etc/apache2/sslcd /etc/apache2/sslopenssl genrsa 4096 > account.keyopenssl genrsa 4096 > domain.keyopenssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:domain.com,DNS:www.domain.com")) > domain.csrwget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.pypython acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crtwget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem--------------------------------------------------------------a2ensite default-ssl------------------default-ssl---------------------------------SSLCertificateFile /etc/apache2/ssl/signed.crtSSLCertificateKeyFile /etc/apache2/ssl/domain.keySSLCertificateChainFile /etc/apache2/ssl/intermediate.pem--------------------------------------------------------------vi /etc/apache2/ssl/renew.sh------------------------------renew.sh-------------------------#!/bin/bashcd /etc/apache2/sslpython acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt || exitwget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem/etc/init.d/apache2 reload--------------------------------------------------------------crontab -e------------------crontab--------------------------------0 0 1 * * /etc/apache2/ssl/renew.sh >/dev/null 2>&1--------------------------------------------------------------
nginx设置
location /.well-known/acme-challenge/ { alias /var/www/challenges/ ; }
cat signed.crt intermediate.pem > mysite.crt #合并证书nginx配置ssl_certificate /root/bin/nginx/conf/custom/cert/mysite.crt;ssl_certificate_key /root/bin/nginx/conf/custom/cert/zorelworld.key;