Shell脚本方式获取 Let's Encrypt 的免费 SSL 证书

2 篇文章 0 订阅
上一篇文章找了个 php 方式获取证书的脚本
[url]http://happysoul.iteye.com/blog/2390306[/url]

这次再放上个 shell+python 不需要过多方式的脚本(全程需要访问互联网以及调用网站进行身份校验需确保能联网)

运行前本地有的文件
[quote]
letsencrypt.conf
letsencrypt.sh
[/quote]

执行代码log截取

root@localhost:~/acme_py# ./letsencrypt.sh letsencrypt.conf
Generate account key...
Generating RSA private key, 4096 bit long modulus
...........++
.........................++
e is 65537 (0x10001)
Generate domain key...
Generating RSA private key, 2048 bit long modulus
..........................+++
................+++
e is 65537 (0x10001)
Generate CSR...domain.csr
Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying 隐藏.f3322.net...
隐藏.f3322.net verified!
Signing certificate...
Certificate signed!
New cert: domain.chained.crt has been generated


ls显示本地的文件
[quote]
account.key
acme_tiny.py
domain.chained.crt
domain.crt
domain.csr
domain.key
letsencrypt.conf
letsencrypt.sh
lets-encrypt-x3-cross-signed.pem
[/quote]

粘贴配置文件和运行文件

#!/bin/bash

# Usage: /etc/nginx/certs/letsencrypt.sh /etc/nginx/certs/letsencrypt.conf

CONFIG=$1
ACME_TINY="/tmp/acme_tiny.py"
DOMAIN_KEY=""

if [ -f "$CONFIG" ];then
. "$CONFIG"
DIRNAME=$(dirname "$CONFIG")
cd "$DIRNAME" || exit 1
else
echo "ERROR CONFIG."
exit 1
fi

KEY_PREFIX="${DOMAIN_KEY%%.*}"
DOMAIN_CRT="$KEY_PREFIX.crt"
DOMAIN_PEM="$KEY_PREFIX.pem"
DOMAIN_CSR="$KEY_PREFIX.csr"
DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt"

if [ ! -f "$ACCOUNT_KEY" ];then
echo "Generate account key..."
openssl genrsa 4096 > "$ACCOUNT_KEY"
fi

if [ ! -f "$DOMAIN_KEY" ];then
echo "Generate domain key..."
if [ "$ECC" = "TRUE" ];then
openssl ecparam -genkey -name secp256r1 | openssl ec -out "$DOMAIN_KEY"
else
openssl genrsa 2048 > "$DOMAIN_KEY"
fi
fi

echo "Generate CSR...$DOMAIN_CSR"

OPENSSL_CONF="/etc/ssl/openssl.cnf"

if [ ! -f "$OPENSSL_CONF" ];then
OPENSSL_CONF="/etc/pki/tls/openssl.cnf"
if [ ! -f "$OPENSSL_CONF" ];then
echo "Error, file openssl.cnf not found."
exit 1
fi
fi

openssl req -new -sha256 -key "$DOMAIN_KEY" -subj "/" -reqexts SAN -config <(cat $OPENSSL_CONF <(printf "[SAN]\nsubjectAltName=%s" "$DOMAINS")) > "$DOMAIN_CSR"

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py --no-check-certificate -O $ACME_TINY -o /dev/null

if [ -f "$DOMAIN_CRT" ];then
mv "$DOMAIN_CRT" "$DOMAIN_CRT-OLD-$(date +%y%m%d-%H%M%S)"
fi

DOMAIN_DIR="$DOMAIN_DIR/.well-known/acme-challenge/"
mkdir -p "$DOMAIN_DIR"

python $ACME_TINY --account-key "$ACCOUNT_KEY" --csr "$DOMAIN_CSR" --acme-dir "$DOMAIN_DIR" > "$DOMAIN_CRT"

if [ "$?" != 0 ];then
exit 1
fi

if [ ! -f "lets-encrypt-x3-cross-signed.pem" ];then
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem --no-check-certificate -o /dev/null
fi

cat "$DOMAIN_CRT" lets-encrypt-x3-cross-signed.pem > "$DOMAIN_CHAINED_CRT"

if [ "$LIGHTTPD" = "TRUE" ];then
cat "$DOMAIN_KEY" "$DOMAIN_CRT" > "$DOMAIN_PEM"
echo -e "\e[01;32mNew pem: $DOMAIN_PEM has been generated\e[0m"
fi

echo -e "\e[01;32mNew cert: $DOMAIN_CHAINED_CRT has been generated\e[0m"

#service nginx reload




# only modify the values, key files will be generated automaticly.
ACCOUNT_KEY="account.key"
DOMAIN_KEY="domain.key"
DOMAIN_DIR="/www/"
DOMAINS="DNS:隐藏.f3322.net"
#ECC=TRUE
#LIGHTTPD=TRUE


如果有多个域名可以使用逗号分隔,举例
[quote]
DOMAINS="DNS:ww1.f3322.net,DNS:ww2.f3322.net,DNS:ww3.f3322.net"
[/quote]

后面就是配置nginx的证书了,见上一篇

最后提供脚本和内置下载的py和pem做参考
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值