|
@@ -11,7 +11,7 @@ The only prerequisites are python and openssl.
|
|
|
|
|
|
|
|
**PLEASE READ THE SOURCE CODE! YOU MUST TRUST IT WITH YOUR PRIVATE KEYS!**
|
|
**PLEASE READ THE SOURCE CODE! YOU MUST TRUST IT WITH YOUR PRIVATE KEYS!**
|
|
|
|
|
|
|
|
-##Donate
|
|
|
|
|
|
|
+## Donate
|
|
|
|
|
|
|
|
If this script is useful to you, please donate to the EFF. I don't work there,
|
|
If this script is useful to you, please donate to the EFF. I don't work there,
|
|
|
but they do fantastic work.
|
|
but they do fantastic work.
|
|
@@ -67,15 +67,15 @@ to it, even for renewals. You can use the same CSR for multiple renewals. NOTE:
|
|
|
you can't use your account private key as your domain private key!
|
|
you can't use your account private key as your domain private key!
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
-#generate a domain private key (if you haven't already)
|
|
|
|
|
|
|
+# Generate a domain private key (if you haven't already)
|
|
|
openssl genrsa 4096 > domain.key
|
|
openssl genrsa 4096 > domain.key
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
-#for a single domain
|
|
|
|
|
|
|
+# For a single domain
|
|
|
openssl req -new -sha256 -key domain.key -subj "/CN=yoursite.com" > domain.csr
|
|
openssl req -new -sha256 -key domain.key -subj "/CN=yoursite.com" > domain.csr
|
|
|
|
|
|
|
|
-#for multiple domains (use this one if you want both www.yoursite.com and yoursite.com)
|
|
|
|
|
|
|
+# For multiple domains (use this one if you want both www.yoursite.com and yoursite.com)
|
|
|
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr
|
|
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr
|
|
|
```
|
|
```
|
|
|
|
|
|
|
@@ -89,12 +89,12 @@ Encrypt will perform a plain HTTP request to port 80 on your server, so you
|
|
|
must serve the challenge files via HTTP (a redirect to HTTPS is fine too).
|
|
must serve the challenge files via HTTP (a redirect to HTTPS is fine too).
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
-#make some challenge folder (modify to suit your needs)
|
|
|
|
|
|
|
+# Make some challenge folder (modify to suit your needs)
|
|
|
mkdir -p /var/www/challenges/
|
|
mkdir -p /var/www/challenges/
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
```nginx
|
|
```nginx
|
|
|
-#example for nginx
|
|
|
|
|
|
|
+# Example for nginx
|
|
|
server {
|
|
server {
|
|
|
listen 80;
|
|
listen 80;
|
|
|
server_name yoursite.com www.yoursite.com;
|
|
server_name yoursite.com www.yoursite.com;
|
|
@@ -115,7 +115,7 @@ script on your server with the permissions needed to write to the above folder
|
|
|
and read your private account key and CSR.
|
|
and read your private account key and CSR.
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
-#run the script on your server
|
|
|
|
|
|
|
+# Run the script on your server
|
|
|
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
|
|
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
|
|
|
```
|
|
```
|
|
|
|
|
|
|
@@ -127,7 +127,7 @@ https settings in your web server's configuration. Here's an example on how to
|
|
|
configure an nginx server:
|
|
configure an nginx server:
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
-#NOTE: For nginx, you need to append the Let's Encrypt intermediate cert to your cert
|
|
|
|
|
|
|
+# NOTE: For nginx, you need to append the Let's Encrypt intermediate cert to your cert
|
|
|
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
|
|
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
|
|
|
cat signed.crt intermediate.pem > chained.pem
|
|
cat signed.crt intermediate.pem > chained.pem
|
|
|
```
|
|
```
|
|
@@ -180,7 +180,7 @@ service nginx reload
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
-#example line in your crontab (runs once per month)
|
|
|
|
|
|
|
+# Example line in your crontab (runs once per month)
|
|
|
0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log
|
|
0 0 1 * * /path/to/renew_cert.sh 2>> /var/log/acme_tiny.log
|
|
|
```
|
|
```
|
|
|
|
|
|
Nicolas Ledez