Location>code7788 >text

Automating SSL Certificate Configuration Updates with ACME

Popularity:921 ℃/2024-10-10 14:15:21

Recently received a notice from Tencent cloud SSL certificate to expire, would like to apply directly found that now apply for a free SSL certificate is valid for only 90 days, by the way, to understand the reason for theTop international technology companies, including Google, have been promoting the proposal of 90-day validity of free certificates. Free certificates have a low encryption level, which makes it difficult to cope with today's increasingly complex network environment, and a 90-day renewal will help to identify possible security vulnerabilities in a timely manner, thus reducing risks.This is all well and good, but it's a pain in the ass for us IT guys, but it's good to know that there are automated SSL certificate renewal tools out there.acmeYou can apply for an SSL certificate with one click, and it will be automatically renewed when it expires, which saves you a lot of trouble.


Install acme

First of all, download and install acme, and change the email at the end to your own to receive SSL certificate related messages, acme will be installed in~/./Catalog.

curl  | sh -s email=mymail@

Modify SSL Certificate Service Provider

The default SSL certificate service provider is ZeroSSL, the application process is more prone to errors, it is recommended to change it to letsencrypt.

 --set-default-ca --server letsencrypt

Certificate Application

The certificate application process requires a domain name verification operation, acme supports two verification methods: http authentication and dns authentication, here we use dns authentication, dns authentication can manually add CNAME records can also be added through the api provided by the dns vendor, the latter is more convenient to provide dns service vendors are also a lot of dns service vendors here dnspod as an example to explain. Here we take dnspod as an example.

Apply for DNSAPI

log inDNSPodCreate a DNSPod Token with an API key. After the key is created, it should be saved so that it can't be queried later.
image

Configuring DNSAPI

Import the ID and Token of the DNSPod Token requested in the previous step into the environment variable

export DP_Id="511111"
export DP_Key="2d111111111"

Execution of application operations

utilizationissuecommand to apply for a certificate, the parameter -d user specifies the domain name to apply for a certificate, *. is a pan-domain name, root domain name, single domain name, here you need to pay attention to determine whether the SSL certificate service provider specified in the previous step supports applying for a pan-domain name, if it does not support it, you need to repeat this step many times to apply for more than one SSL certificate, letsencrypt supports applying for pan-domain name certificates; the parameter dns is used to specify the dns service provider, and the executor needs to make sure that the environment variables in the previous step have been imported correctly, you can check the~/./directory to confirm the contents of the file; after the command is executed, the CNAME record will be automatically added and verified by dnsapi, and after the verification is passed, the CNAME record will be added in the~/./ The catalog generates the requested certificate.
Please pay attention to the output information during the application process, and when there are exceptions, you can add the--debugparameter outputs more information for troubleshooting.

 --issue -d  -d *. --dns dns_dp

Certificate Installation

Successful certificate application also needs to be installed to the corresponding location, you need to use the--install-certcommand, which is illustrated here using nginx as an example.-d parameter specifies the domain name, which needs to correspond to the installed certificate file.--key-fileSpecify the location where the private key of the certificate is to be installed.--fullchain-fileSpecify the location where the certificate file is to be installed.--reloadcmdSpecify the certificate file installation completed application restart command, successful execution will prompt success, you can verify by accessing their own domain name, while the command to add an automated task for the"/root/."/ --cron --home "/root/." > /dev/nullFor automatically updating SSL certificates at regular intervals, you can use thecrontab -lcommand to view it.

 --install-cert -d  \
	--key-file       /usr/local/nginx/conf/cert/  \
	--fullchain-file /usr/local/nginx/conf/cert/ \
	--reloadcmd     "/usr/local/nginx/sbin/nginx -s reload"

Related URLs

acme Instructions for use
dnsapi Usage Notes