使用 acmephp 自动生成免费的 ssl 证书,并 renew

2016-09-06 15:48:00
hainuo
原创 2261
摘要: 使用 php 工具包 acmephp 免费 生成ssl 证书并自动 设置renew
因为之前不太会弄证书,都是通过沃通来生成,然而现在沃通的证书 ca 根证书好想要被干掉,那么我们怎么办呢。letsencrypt.org 给我们提供了新的解决办法。下面 主要介绍 php 工具 acmephp 如何做到创建证书并 renew 的#0x01 下载 并验证 acmephp 的版本```shell$cd $php -r "copy('https://github.com/acmephp/acmephp/releases/download/1.0.0-alpha10/acmephp.phar', 'acmephp.phar');"$php -r "copy('https://github.com/acmephp/acmephp/releases/download/1.0.0-alpha10/acmephp.phar.pubkey', 'acmephp.phar.pubkey');"$php acmephp.phar --version```依次执行命令即可得到以上最新的acmephp 发布版 主要那个 pubkey 已经要下载,不然 你的程序不能正常执行的#0x02 在 acme 或者letsencrypt 进行注册```shell$php acmephp.phar register you@your.domain```程序执行返回 `successfully` 表示成功!```shell$ php acmephp.phar register xx@hainuo.infoConfiguration file /root/.acmephp/acmephp.conf did not exist and has been created.No account key pair was found, generating one...Loading account key pair...Registering on the ACME server...Account registered successfully!```#0x03 验证你的域名权限```shell$php acmephp.phar authorize yourdomain.org```这时候你会得到这样回复```shell$ php acmephp.phar authorize yourdomain.orgLoading account key pair...Requesting an authorization token for domain yourdomain.org ...获取为你的域名生成的验证口令The authorization token was successfully fetched!验证口令成功获取Now, to prove you own the domain yourdomain.org and request certificates for this domain, follow these steps:现在你需要按照以下的步骤,对你的域名进行设置,并请求这个域名的证书 1. Create a text file accessible on URL http://yourdomain.org/.well-known/acme-challenge/_JjHUwHENJPJ4hZm_RKsmi6iMT3j7g-Rffmn6W7Qeso创建一个指定文件名的文件且能够通过 url http://yourdomain.org/.well-known/acme-challenge/_JjHUwHENJPJ4hZm_RKsmi6iMT3j7g-Rffmn6W7Qeso 可以访问,(这一步jiu就是要我们创建一个相对于站点根目录的文件路径.well-known/acme-challenge/_JjHUwHENJPJ4hZm_rKsmi6iMT3j7g-Rffmn6W7Qeso) containing the following content: 要包含以下内容 _JjHUwHENJPJ4hZm_rKsmi6iMT3j7g-Rffmn6W7Qeso.l6D28Ia-ozjSKpMB2wQbpdJ-pQQ9Mg0oN5PUHXXh5uc 2. Check in your browser that the URL http://yourdomain.org/.well-known/acme-challenge/_JjHUwHENJPJ4hZm_RKsmi6iMT3j7g-Rffmn6W7Qeso returns the authorization token above. 通过浏览器验证url,确认上面的验证口令 3. Call the check command to ask the server to check your URL: 在命令行通过执行以下命令验证你的 url php acmephp.phar check yourdomain.org```#0x04 验证 url```shell$php acmephp.phar check yourdomain.orgLoading account key pair...Loading the authorization token for domain yourdomain.org ...Requesting authorization check for domain yourdomain.org ...The authorization check was successful!验证成功You are now the proved owner of the domain yourdomain.org. 你是这个域名的持有人Please note that you won't need to prove it anymore as long as you keep the same account key pair.You can now request a certificate for your domain:你可以获取你域名的证书: php acmephp.phar request yourdomain.org```#0x05 获取证书```shell$ php acmephp.phar request yourdomain.orgLoading account key pair...There is currently no certificate for domain yourdomain.org in the Acme PHP storage. As it is thefirst time you request a certificate for this domain, some configuration is required.Generating domain key pair...Some informations about you or your company are required for the certificate:What is your country two-letters code (field "C" of the distinguished name, for instance: "US")? : CNWhat is your country province (field "ST" of the distinguished name, for instance: "California")? : shandongWhat is your locality (field "L" of the distinguished name, for instance: "Mountain View")? : ziboWhat is your organization/company (field "O" of the distinguished name, for instance: "Acme PHP")? : hainuo.infoWhat is your unit/department in your organization (field "OU" of the distinguished name, for instance: "Sales")? : ITWhat is your e-mail address (field "E" of the distinguished name)? : admin@hainuo.infoDistinguished name informations have been stored locally for this domain (they won't be asked on renewal).Requesting first certificate for domain yourdomain.org ...Running post-generate actions...The SSL certificate was fetched successfully!This certificate is valid from now to 2016-12-05T07:51:00+0000%.5 files were created in the Acme PHP storage directory: * /root/.acmephp/master/private/yourdomain.org/private.pem contains your domain private key (required in many cases). * /root/.acmephp/master/certs/yourdomain.org/cert.pem contains only your certificate, without the issuer certificate. It may be useful in certains cases but you will probably not need it (use fullchain.pem instead). * /root/.acmephp/master/certs/yourdomain.org/chain.pem contains the issuer certificate chain (its certificate, the certificate of its issuer, the certificate of the issuer of its issuer, etc.). Your certificate is not present in this file. * /root/.acmephp/master/certs/yourdomain.org/fullchain.pem contains your certificate AND the issuer certificate chain. You most likely will use this file in your webserver. * /root/.acmephp/master/certs/yourdomain.org/combined.pem contains the fullchain AND your domain private key (some webservers expect this format such as haproxy).Read the documentation at https://acmephp.github.io/documentation/ to learn more about how toconfigure your web server and set up automatic renewal.To renew your certificate manually, simply re-run this command.```#0x06 renew 证书 很简单的就把证书给获取成功了。我们只剩下最后一步更新证书制定计划任务中```cron0 0 * * * php /home/youruser/acmephp.phar request yourdomain.org > /var/log/acme php.log && service nginx reload```
发表评论
伍 乘 捌 =
评论通过审核后显示。
最新文章