قالب وردپرس درنا توس
Home / Tips and Tricks / How to request a LetsEncrypt certificate with Acme – CloudSavvy IT

How to request a LetsEncrypt certificate with Acme – CloudSavvy IT



  Let & # 39; s Encrypt

LetsEncrypt changed the world of SSL certificates when offering free, short-lived SSL certificates enabled a large number of individuals and businesses to secure their web applications for free. This service should have the necessary infrastructure in place, and a variety of applications have been created to meet the requirements for SSL output.

One of the most common utilities is that of CertBot . , which may work fine, but another open source application available is acme.sh . This is a fully shell-based ACME client (the protocol used by LetsEncrypt to issue SSL certificates). With many integrated functions, this client enables complex configurations.

The easiest way to install [acme.sh] () is the following, which downloads and executes the script from here.

https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh .

  curl  | Sch

The source for this site is here if you want to check what the actual script is doing.

The installation downloads the files and moves them to ~ / .acme.sh and install an alias in your file ~ / .bashrc . A cron job is also installed, if available.

 Install Acme.shc

Getting Started

Much of how you use [acme.sh] () depends on the method and application for which you are requesting the certificate . Acme.sh offers many different methods to actually request a certificate, e.g. For example:

In this article I will demonstrate two different ways to request a certificate. I am adding web server configurations for NGINX and Apache that use the Webroot method. The DNS mode method uses a configuration file to create CNAME records that check the domain instead of creating a file in the file system.

Web server configuration

NGINX LetsEncrypt configuration

NGINX makes this easy. Create a shared configuration to use when using the Webroot method to request a certificate.

letsencrypt.conf

It is recommended to create a standalone configuration that can be included as needed in the vhost configurations as follows: include / etc / nginx / letsencrypt .conf [19459005 [19659006 [# rule for legitimate ACME challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^ ~ here so we don't check other regular expressions (for acceleration). We actually have to cancel
# Other regex checks, since our other configuration files have regex rules that deny access to files with dotted names.
Location ^ ~ /.well-known/acme-challenge/ {
# Set the correct content type. As a result:
#
# The current specification requires "text / plain" or no content header at all.
# It appears that "text / plain" is a safe option.
default_type "text / plain";
}}

# Direct access returns a 404
location = /.well-known/acme-challenge/ {
return 404;
}}

Apache

Similar to NGINX, Apache can create a separate configuration file. An example of this configuration is shown below.

/etc/apache2/conf-available/letsencrypt.conf

In this case Apache configuration is specific to the virtual host due to the need to include the location of the hard drive. The following is a general location, but may vary depending on your specific configuration.

  Alias ​​/.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"

AllowOverride None
Options MultiViews indexes SymLinksIfOwnerMatch IncludesNoExec
Required method GET POST OPTIONS

DNS Configuration

In this article I demonstrate DNS mode with Cloudflare because it offers extremely fast DNS changes and works exceptionally well with this method.

Acme.sh uses two environment variables for dns_cf method: CF_Key and CF_Email . To include this in your environment at startup, you can include this configuration in your .bashrc file.

It may not be readily apparent, but there is a space in front of every export command, which generally ensures that they are not read into history, just in case.

  export CF_Key = "######### ..."
export CF_Email = "cfaccount@email.com"

Issuing a certificate using the Webroot method

When issuing the following command, two domains are defined in a single certificate. This is to ensure that when one of the host names is requested (and often redirected to canonical), the request is still protected by a secure connection.

  acme.sh --issue -d example.com -d www. example.com -w / var / www / html

Issued certificates are in /. Acme.sh/acme.sh/▶domain_name▶[19459005‹[19659014‹ExhibitioncertificateviatheDNSmethod[19659012eneverusingtheDNSissuingmethodisatemporary The txt record is created via the Cloudflare API , and LetsEncrypt checks the domain against this temporary record. This is a cleaner method because no Webroot configuration is required.

  # Multiple domains
acme.sh --issue --dns dns_cf -d example.com -d www.example.com

Issued certificates are in /. Acme.sh/acme.sh/{domain_name▶[19459005[19659014‹RenewingCertificate[19659012enjoyedbydefaultAcmeshcreatesa cronjob ] like the following entry:

  48 0 * * * "/ home /user/.acme.sh/acme.sh "--cron --home" /home/user/.acme.sh "> / dev / Null

To force an extension, you can issue the following command using the same output method as originally used:

  acme.sh --renew -d example.com -d www.example.com

Removing certificates

If you no longer want to renew a certificate, you can easily remove it. However, this does not remove the certificate from the hard disk. To do this, you have to navigate to ~ / .acme.sh / and remove the directory with the certificates.

  acme.sh --remove -d example.com -d www.example .com

In this way, the certificates set up for renewal can be cleaned up. You can check this by listing the certificates as follows:

  acme.sh --list

Conclusion

LetsEncrypt offers an excellent and user-friendly service for the provision of SSL certificates for use on websites. Building a secure website is easier than ever. When you use the acme.sh client, you have complete control over how this happens on your web server.

Using a number of different methods to obtain a certificate, including very secure methods, such as z. As a delegated domain, allows the required certificates to be retrieved correctly.


Source link