组成部分

prepare

  • set your dns which you want to get a letsencrypt crt file to the server ip which you run the script

SSL

#!/bin/bash
# filepath: /root/ssl/a.sh

# 清场
ls | grep -v a.sh | grep -v sendemail | grep -v tar.gz | xargs -i rm -f {}

which openssl || (echo "没有找到openssl,开始安装"; yum install -y openssl)

# 创建一个目录
mkdir /root/ssl && echo "创建临时目录成功!" || (echo "创建临时目录失败";exit)

# 创建一个RSA私钥
openssl genrsa 4096 > account.key && echo "创建RSA私钥成功!" || (echo "创建RSA私钥失败!";exit)

# 创建另一个RSA私钥
openssl genrsa 4096 > domain.key && echo "创建另外一个私钥成功!" || (echo "创建另外一个RSA私钥失败!";exit)

#创建ECC私钥
openssl ecparam -genkey -name secp256r1 | openssl ec -out domain.key && echo "创建ECC私钥成功!" || (echo "创建ECC私钥失败!";exit)
openssl ecparam -genkey -name secp384r1 | openssl ec -out domain.key && echo "创建ECC私钥成功!" || (echo "创建ECC私钥失败!";exit)

#生成CSR文件,有两种方式,我用的是第二种,但是第一种可以一次多申请几个,可以稍后测试
# In how many days should certificates expire?
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SD"
export KEY_CITY="JN"
export KEY_ORG="IIOT"
export KEY_EMAIL="zzlyzq@gmail.com"
export KEY_OU="CloudPlatform"

#openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr
#openssl req -new -sha256 -key domain.key -out domain.csr
# modify the following portus.ops.ac.cn to your dns name
openssl req -new -sha256 -key domain.key -out domain.csr -subj '/CN=portus.ops.ac.cn/'

# 配置验证服务,为啥要这么说呢,因为letsencrypt给的也是DV,也就是域名验证,我们运行软件申请的时候,本身python脚本会在本地写一个随机数到一个随机文件,它们官方会从远端经过公网DNS解析并去获取这个文件,如果一致,就说明这个站点是我们的,也就可以申请证书了。
[ -d "~/www/challenges" ] || mkdir -p ~/www/challenges/
# 另外,还需要两个步骤,最后会说明为啥要这两个步骤。
mkdir /root/www/challenges/.well-known/ -p
ln -s /root/www/challenges/ /root/www/challenges/.well-known/acme-challenge

# 接下来我们就要下载python脚本,并去申请证书了
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

# 在执行下面之前,我们可以打开网站,最简单的就是使用python
# make a http port that the letsencrypt server can access the file
# nohup cd ~/www/challenges/ ; python -m SimpleHTTPServer 80&
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

# 如果一切正常,我们会看到signed.crt这个就是我们的证书了。

# 另外,我们还需要letsencrypt的中间证书,我也不知道啥意思,反正是需要一个官网的东西
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem

# 打包发送
tar czvf crt.tar.gz chained.pem domain.key
./sendemail -f myalter@vip.126.com -t wangyg@iiot.ac.cn -s smtp.vip.126.com -u "证书快递portus.ops.ac.cn" -xu myalter -xp xx -m "证书For域名:XX生成成功" -a crt.tar.gz -o message-charset=utf-8

# result
# filename domain.key is the key file for your sslconfig
# filename chained.pem is the crt file for your sslconfig

http 80

目录 /root/www/challenges
运行 python -m SimpleHTTPServer 80

ngrok

目录: /root/linux_64

./ngrok -config=ngrok.cfg -subdomain portus 80

ssl config for apache2 ubuntu 12.10

echo 'LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so' > /etc/apache2/mods-available/socache_shmcb.load
echo 'LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so' > /etc/apache2/mods-available/mod_ssl.so

ln -s /etc/apache2/mods-available/socache_shmcb.load /etc/apache2/mods-enabled/socache_shmcb.load
ln -s /etc/apache2/mods-available/mod_ssl.so /etc/apache2/mods-enabled/mod_ssl.so
  • config file
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/apache2/sites-enabled/ssl.book.opschina.org/crt
        SSLCertificateKeyFile /etc/apache2/sites-enabled/ssl.book.opschina.org/key
ServerName book.opschina.org
DocumentRoot /www/webapps/book.opschina.org/
ErrorLog /var/log/apache2/book.opschina.org-error.log
CustomLog /var/log/apache2/book.opschina.org-access.log combined
<Location />
    #AuthType Basic
    #AuthName "WikiLogin"
    #AuthUserFile "/www/webapps/book.opschina.org/.user"
    #Require valid-user
    AllowOverride All
    Order Deny,Allow
    Allow from All
</Location>
<Directory "/www/webapps/book.opschina.org">
    Options Indexes FollowSymLinks MultiViews IncludesNoExec
    AllowOverride All
    Order Deny,Allow
    Allow from All
    Require all granted
</Directory>
</VirtualHost>

香港ngrok服务器

#!/bin/bash

cd /usr/local/ngrok/
./bin/ngrokd -tlsKey="assets/server/tls/snakeoil.key" -tlsCrt="assets/server/tls/snakeoil.crt" -domain="ops.ac.cn"

日志

[root@t1 ssl]# ./a.sh 
/usr/bin/openssl
mkdir: cannot create directory `/root/ssl': File exists
创建临时目录失败
Generating RSA private key, 4096 bit long modulus
.....................................................................................................................................................................................................++
.........................................................++
e is 65537 (0x10001)
创建RSA私钥成功!
Generating RSA private key, 4096 bit long modulus
..................................................................................++
.............................++
e is 65537 (0x10001)
创建另外一个私钥成功!
read EC key
using curve name prime256v1 instead of secp256r1
writing EC key
创建ECC私钥成功!
read EC key
writing EC key
创建ECC私钥成功!
ln: creating symbolic link `/root/www/challenges/.well-known/acme-challenge/challenges': File exists
--2016-11-28 16:29:32--  https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
Resolving raw.githubusercontent.com... 151.101.100.133
Connecting to raw.githubusercontent.com|151.101.100.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9151 (8.9K) [text/plain]
Saving to: “acme_tiny.py”

100%[=====================================================================================================>] 9,151       --.-K/s   in 0s      

2016-11-28 16:29:33 (115 MB/s) - “acme_tiny.py” saved [9151/9151]

Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying reg.ops.ac.cn...
reg.ops.ac.cn verified!
Signing certificate...
Certificate signed!
--2016-11-28 16:29:43--  https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
Resolving letsencrypt.org... 23.41.90.11, 2600:1417:2d:199::2a1f, 2600:1417:2d:188::2a1f
Connecting to letsencrypt.org|23.41.90.11|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1647 (1.6K) [application/x-x509-ca-cert]
Saving to: “STDOUT”

100%[=====================================================================================================>] 1,647       --.-K/s   in 0s      

2016-11-28 16:29:44 (541 MB/s) - written to stdout [1647/1647]

--2016-11-28 16:29:44--  https://letsencrypt.org/certs/isrgrootx1.pem
Resolving letsencrypt.org... 23.41.90.11, 2600:1417:2d:199::2a1f, 2600:1417:2d:188::2a1f
Connecting to letsencrypt.org|23.41.90.11|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1967 (1.9K) [application/x-x509-ca-cert]
Saving to: “STDOUT”

100%[=====================================================================================================>] 1,967       --.-K/s   in 0s      

2016-11-28 16:29:47 (603 MB/s) - written to stdout [1967/1967]

chained.pem
domain.key
Nov 28 16:29:47 localhost sendemail[3118]: Email was sent successfully!
[root@t1 ssl]# ^C
[root@t1 ssl]# ls
account.key   a.sh         crt.tar.gz  domain.key        intermediate.pem  sendemail
acme_tiny.py  chained.pem  domain.csr  full_chained.pem  root.pem          signed.crt
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ls -trln
total 132
-rwxr-xr-x. 1 0 0 79197 Nov 16 13:45 sendemail
-rwxr-xr-x. 1 0 0  3324 Nov 28 16:25 a.sh
-rw-r--r--. 1 0 0  3243 Nov 28 16:29 account.key
-rw-r--r--. 1 0 0   288 Nov 28 16:29 domain.key
-rw-r--r--. 1 0 0   448 Nov 28 16:29 domain.csr
-rw-r--r--. 1 0 0  9151 Nov 28 16:29 acme_tiny.py
-rw-r--r--. 1 0 0  1558 Nov 28 16:29 signed.crt
-rw-r--r--. 1 0 0  1647 Nov 28 16:29 intermediate.pem
-rw-r--r--. 1 0 0  3205 Nov 28 16:29 chained.pem
-rw-r--r--. 1 0 0  1967 Nov 28 16:29 root.pem
-rw-r--r--. 1 0 0  3614 Nov 28 16:29 full_chained.pem
-rw-r--r--. 1 0 0  2390 Nov 28 16:29 crt.tar.gz
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
[root@t1 ssl]# ^C
Copyright © opschina.org 2017 with zzlyzq@gmail.com all right reserved,powered by Gitbook该文件修订时间: 2017-07-11 11:32:48

results matching ""

    No results matching ""